v7.8beta [testing] is released!

emils · Fri Jan 20, 2023 3:52 pm

RouterOS version 7.8beta2 has been released "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.8beta2 (2023-Jan-20 12:27):

Important note!!!

Version is not recommended on CRS3xx devices.

Changes in this release:

!) storage - added new "rose-storage" package support for extended disk management and monitoring functionality (ARM, ARM64, Tile and x86) (CLI only);
*) bgp - fixed setting of "default-prepend" parameter;
*) bridge - fixed PVID warning typo;
*) bridge - improved HW offloading logic;
*) certificate - improved certificate management, signing and storing processes;
*) conntrack - improved system stability when changing connection tracking state;
*) container - added authentication option for registry (CLI only);
*) container - fixed ".type" file ownership;
*) container - fixed file ownership after system upgrade for containers running on internal disk;
*) container - fixed multiple container automatic startup on boot;
*) disk - limit maximum TMPFS size;
*) dns - added configurable DoH concurrent query limitation parameters (CLI only);
*) dns - do not cache results from ":resolve" command with specific server;
*) dns - limited "DoH max concurrent queries reached" logging messages to once per minute;
*) firewall - fixed bridge priority target;
*) firewall - fixed DSCP priority target for IPv6 Mangle;
*) firewall - fixed netmap range maximum address calculation for IPv6 NAT;
*) graphing - fixed hiding of target queues when "allow-target" is disabled;
*) graphing - fixed sorting of interface and queue graphs;
*) graphing - properly handle disabled and static-binding interface graphs;
*) graphing - removed "move" command for graphing rules;
*) hotspot - fixed setting of "address" parameter for IP binding;
*) hotspot - restore cookie timeout on reboot;
*) ike2 - added support for "address", "key-id" and "dn" for Remote ID matching (CLI only);
*) ipsec - added support for "Framed-Route" RADIUS attribute support;
*) ipsec - do not match incoming IKE requests by unresolved DNS name peers;
*) ipv6 - added "pref64" option configuration for RA;
*) ipv6 - limited "hop-limit" parameter value range to 255;
*) ipv6 - made distributed DNS lifetime RFC8106 compliant;
*) l3hw - added destination MAC address check for offloaded FastTrack connections;
*) lte - added AT support for Telit LE910C4 in MBIM mode;
*) lte - fixed APN setting usage on initial connection attempt for AT based Quectel and Neoway modems;
*) lte - fixed automatic antenna selection on Chateau LTE12/LTE18;
*) lte - fixed dialing for Fibocom L850-GL module;
*) lte - fixed displaying of "subscriber-number";
*) lte - improved AT port matching for SIMCom, Huawei, WeLink, Cinterion, BandLuxe and Sierra modems;
*) lte - improved modem detection speed in lower mini-PCIe slot on LtAP;
*) lte - parse USSD even if encoding is unsupported;
*) mpls - fixed handling of more than 9 VRF's;
*) mpls - fixed LDP listen socket creation before IPv6 address is ready for use;
*) mpls - improved stability when neighboring router reboots;
*) ospf - fixed "ospf-type" parameter for OSPFv3 routes;
*) ospf - fixed simple auth for OSPFv3;
*) ovpn - added AES-GCM and multicore encryption support (CLI only);
*) poe - properly turn off power when link not detected on hAP ax2 and hAP ax3;
*) port - fixed modem channel number on KNOT;
*) resource - show filesystem related statistics on CCR2004;
*) route - fixed IPv6 default route presence when received from RA;
*) route - fixed printing of routing table's "count-only" parameter;
*) sfp - fixed false link detection with S+RJ10 on RB5009;
*) sfp - fixed reading of SFP EEPROM on single SFP port devices;
*) sms - improved reporting of SMS sending errors;
*) sms - log USSD response when USSD is sent over MBIM;
*) sniffer - added additional filtering parameters (CLI only);
*) snmp - do not show identity in LLDP when branding is used with hide SNMP data;
*) snmp - fixed handling of disabled routes;
*) snmp - fixed reporting of total number of routes counter;
*) ssh - hard-coded "localhost" address for forwarding requests;
*) sstp - fixed TLS session establishment when "connect-to" is DNS name;
*) switch - fixed SFP rate select for CRS354 devices;
*) switch - improved system stability for 98DXxxxx switch chips;
*) torch - allow "without-paging" parameter for Torch;
*) traffic-generator - increased maximum allowed stream count;
*) upgrade - show error message when license prohibits upgrade;
*) vxlan - added "dont-fragment" setting that allows managing fragmentation;
*) webfig - allow setting numeric values in time interval fields;
*) webfig - fixed accessing of WebFig when "Interface" menu is disabled by skin;
*) webfig - fixed editing of multi-field parameters with "not" checkbox;
*) webfig - fixed handling of empty skin files;
*) webfig - improved navigation responsiveness;
*) webfig - improved skin file parsing;
*) webfig - properly escape all reserved URI characters;
*) webfig - updated WebFig and graph web pages to HTML5;
*) wifiwave2 - added wireless sniffer tool to capture wireless transmissions (CLI only);
*) wifiwave2 - enabled additional channels in UNII-3 and UNII-4 bands for Europe and USA on hAP ax^2, hAP ax^3 and Chateau ax;
*) wifiwave2 - implement 802.11w management protection SA Query procedures;
*) wifiwave2 - improve protections from denial-of-service attacks on WPA3;
*) winbox - added "Match Subdomain" parameter under "IP/DNS/Static" menu;
*) winbox - added missing WifiWave2 related parameters under "WifiWave2" menu;
*) winbox - fixed displaying of "Default Prepend" value under "Routing/BGP/Sessions" menu;
*) winbox - fixed displaying of "Tx/Rx CCQ" values under "Wireless/Registration" menu;
*) winbox - fixed displaying of flags under "System/Console" menu;
*) winbox - fixed displaying of multiple character flags;
*) winbox - fixed usage of IPv6 family addresses under "IP/Web Proxy/Access" menu;
*) winbox - improved mouseover hint for "local" policy under "System/Users/Groups" menu;
*) winbox - show "Gateway" column by default under "IPv6/Routes" menu;
*) x86 - added support for TP-Link TG-3468;
*) x86 - fixed SR-IOV support for Intel X710 series NIC;
*) x86 - improved Intel 500 series 10G SFP module support;
*) x86 - improved stability for Intel X550 series NIC with SR-IOV;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

Fri Jan 20, 2023 4:19 pm

1 of my AC3 devices upgraded, so far no issues seen (it's running for a whole 5 minutes :-) ).

Znevna · Fri Jan 20, 2023 4:44 pm

Nice changelog, I don't know how to find that "rose-storage" ..

Fri Jan 20, 2023 4:49 pm

Nice changelog, I don't know how to find that "rose-storage" ..

documentation draft:
https://help.mikrotik.com/docs/display/ROS/ROSE-storage

you need to install rose-storage package first

achu · Fri Jan 20, 2023 4:50 pm

Still no hardware acceleration for OpenVPN tunnel and IPQ-6010 processor (hAP ax3)

Znevna · Fri Jan 20, 2023 4:52 pm

you need to install rose-storage package first

I've downloaded the extra packages but somehow I've missed it, now I've found it :) thank you!
LE: I see you're using ksmbd, please be sure to keep it up to date with latest security patches as some nasty flaws were discovered..

Quaziee · Fri Jan 20, 2023 6:01 pm

What does this mean?
upgrade - show error message when license prohibits upgrade;

biomesh · Fri Jan 20, 2023 6:03 pm

Why do you quote whole preceding post? Does it help answering? Do you repeat what your interlocutor says when you discuss?

For a CHR instance without an active license

rpingar · Fri Jan 20, 2023 7:33 pm

may you elaborate little bit further?
*) x86 - fixed SR-IOV support for Intel X710 series NIC;

we use them and the only issue is the fact that we must use only auto about cpu irq interface queue. Is it something about?

mikrotikedoff · Fri Jan 20, 2023 7:51 pm

What is the reasoning for not allowing new devices being sold now with V7 to be reinstalled with V6? Seems like it'd be reasonable and considerate to remove this limitation until 7 becomes fit for professional use.

mada3k · Fri Jan 20, 2023 8:04 pm

documentation draft:
https://help.mikrotik.com/docs/display/ROS/ROSE-storage

Intresting. Mikrotik planning to enter the SAN/NAS business?

CTassisF · Fri Jan 20, 2023 8:30 pm

Since updating to 7.8beta2 I'm having issues importing remote container image zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest on my RB5009 (arm64). It was working fine on 7.7rc5.

 16:43:05 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0-latest
 16:43:05 system,info item added by cesar
 16:43:07 container,info,debug error response getting manifests: 404
 16:43:07 container,info,debug was unable to import, container 4a07240c-862b-4861-a16a-68605478ad54

After changing to zabbix/zabbix-proxy-sqlite3:alpine-6.0.12 it works fine again:

 16:45:28 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0.12
 16:45:28 system,info item added by cesar
 16:45:31 container,info,debug getting layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4
 16:45:32 container,info,debug layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4 downloaded
 16:45:32 container,info,debug getting layer sha256:2068be5b412156c5bc2936aeb988446cb6ac458c4c408ac51b5143e9632073f0
 16:45:33 container,info,debug layer sha256:2068be5b412156c5bc2936aeb988446cb6ac458c4c408ac51b5143e9632073f0 downloaded
 16:45:33 container,info,debug getting layer sha256:35af6ce2b615d78f6617ef90fdbb0aef91a77c766594c28325a8e9e589d0e002
 16:45:33 container,info,debug layer sha256:35af6ce2b615d78f6617ef90fdbb0aef91a77c766594c28325a8e9e589d0e002 downloaded
 16:45:33 container,info,debug getting layer sha256:7becd6903f60f84a63358dbfbf033e34094e07d255085fe0d9a2fe48481e74b6
 16:45:34 container,info,debug layer sha256:7becd6903f60f84a63358dbfbf033e34094e07d255085fe0d9a2fe48481e74b6 downloaded
 16:45:34 container,info,debug getting layer sha256:21bb24f368b7ae4b135a1ef432a6379a54310c37e8a7b8d54d0260d7cd768f9d
 16:45:35 container,info,debug layer sha256:21bb24f368b7ae4b135a1ef432a6379a54310c37e8a7b8d54d0260d7cd768f9d downloaded
 16:45:35 container,info,debug getting layer sha256:9e1e869413aec50921ae70ba3b2098e56ab598bb6a26d2b0d5c697f7c433cb00
 16:45:37 container,info,debug layer sha256:9e1e869413aec50921ae70ba3b2098e56ab598bb6a26d2b0d5c697f7c433cb00 downloaded
 16:45:38 container,info,debug getting layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
 16:45:38 container,info,debug layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 downloaded
 16:45:38 container,info,debug getting layer sha256:e4034d2118985bc524c23df0d8c998c604ee97aef464494c39111bf32ebd9335
 16:45:39 container,info,debug layer sha256:e4034d2118985bc524c23df0d8c998c604ee97aef464494c39111bf32ebd9335 downloaded
 16:45:39 container,info,debug import successful, container c3a27c76-186a-47bf-ace4-04fcff0790fd

zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest was updated a few hours ago. Maybe something is wrong on Docker Hub? Or is it a bug in 7.8beta2?

anav · Fri Jan 20, 2023 10:04 pm

Zero Trust Cloudflare package option missing. :-P

ksteink · Fri Jan 20, 2023 11:14 pm

Nice start for this new version but I like to see in the roadmap to get High Availability (HA) in which I can have 2 CRS3xx/CRS5xx in a stack in which all the configurations on the primary and connection states are sync-up constantly in the secondary (including DHCP leases). That will be a killer feature to have :)

Sat Jan 21, 2023 12:39 am

Zero Trust Cloudflare package option missing.

https://www.youtube.com/watch?v=BbDnBxlBTdY

anav · Sat Jan 21, 2023 1:18 am

Why do you quote whole preceding post? Does it help answering? Do you repeat what your interlocutor says when you discuss?

First, one shouldnt feed the troll posts like mine ;-PP
Secondly, accessing it via container is discriminatory and dumb, it should be a package avail on all MT devices.

Sat Jan 21, 2023 1:53 am

Bon appetit!

Jotne · Sat Jan 21, 2023 2:11 am

I do like new stuff and new version. But for me this seems to be more like 7.7.1 beta, not 7.8 beta
Mostly fixes and improvements, and new stuff added are just cosmetic.

npeca75 · Sat Jan 21, 2023 4:13 am

yessss

after so many v7 iterations ...

1. SFP data is back
2. SLAAC address show as expected
3. RA route show as expected
4. SNMP readout of SFP values as expected
rb760igs

nichky · Sat Jan 21, 2023 5:06 am

pls fix BGP-VRF-VPNv4 - working with RR

sirbryan · Sat Jan 21, 2023 7:57 am

I think most people are missing the (possibly) bigger "news" here.

"RouterOS Enterprise" (using modern NAS tech) allows us to leverage the untapped CPU/disk resources of our beefier boxes. Or, more particularly, beefier boxes yet to be released.

The RAID examples in the docs (https://help.mikrotik.com/docs/display/ROS/ROSE-storage) use NVMe as examples. One could expect to see more 2x16's with more RAM and NVMe slots--or possibly some 2x32's, with 32 cores, 32GB of RAM, 2-4-more NVMe slots, and 40G or 100G networking.

Or, you could just put it on the bare metal and leverage whatever you have today.

I just got NFS working between an AX3 and a 2116 in the lab and it was painless. Next up will be to spin up containers on the AX3, without having to attach a USB drive.

flapviv · Sat Jan 21, 2023 10:06 am

The RAID examples in the docs (https://help.mikrotik.com/docs/display/ROS/ROSE-storage) use NVMe as examples. One could expect to see more 2x16's with more RAM and NVMe slots--or possibly some 2x32's, with 32 cores, 32GB of RAM, 2-4-more NVMe slots, and 40G or 100G networking.

Yes you're right, 10 NVMe slot is not for a router but for a server. ;-)

FattyAcid · Sat Jan 21, 2023 10:24 am

This is a disappointing release as 7.8, should have been 7.7.1.

When are we going to see Mikrotik address those critical route/switch features that most enterprises use. Specifically:

1. BFD fixed
2. BGP-VPNv4-VRF RR fixed
3. Something equivalent to Cisco DMVPN, HP DVPN, Meraki AutoVPN, or Fortinet ADVPN, etc.
4. EVPN
5. MPLS Fast Reroute
6. BGP Multi-path
7. L3HW off loading that is compatible with MLAG and VRRP
8. L3HW off loading for VXLAN
9. L3HW off loading for QinQ

Until those are delivered I can’t use Mikrotik in any medium or large US companies I support. Cant use it in the data center, can’t use it in the WAN edge, can’t use it in the LAN.

ROSE is nice but it’s not helping me get Mikrotik into the enterprise in the US.

Larsa · Sat Jan 21, 2023 10:42 am

While I agree with many of the flaws, point #3 is generally referred to as SDWAN and is implemented in RoS using ZeroTier.

woland · Sat Jan 21, 2023 11:00 am

This is a disappointing release as 7.8, should have been 7.7.1.

When are we going to see Mikrotik address those critical route/switch features that most enterprises use. Specifically:

Yep, couldn´t agree more, I am disappointed by 7.8 as well: people are not waiting for ROS to have perfect storage support (ROSE). Having containers is great, but it should not be the focus. I am waiting for solid WIFI features (band steering, roaming, wireless bridging for wifiwave2, single capsman to manage old and new wifi), better IPv6 support (fast track, rfc9096), more HW acceleration.
I would also love to see CCR2004-PCIe card BSD support, which was spoken about, but was never realized!
What about more modular wifiwave2, so that it fits on my CAPac, HAPac2 ? Those would be the real killer features for me!

depth0cert · Sat Jan 21, 2023 11:07 am

RouterOS version 7.8beta2 has been released "v7 testing" channel!
*) certificate - improved certificate management, signing and storing processes;

Hello.
I have problem on new fresh clean installation chr-7.8beta2.img with ipsec,error can't get private key.
SUP-105306 https://help.mikrotik.com/servicedesk/s ... SUP-105306
On a new fresh clean installation from the chr-7.8beta2.img file, there is an error that does not exist on stable chr-7.7.img.

r1:

/certificate/add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
:do {/certificate/sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
/certificate/add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
:do {/certificate/sign [find name=r1] ca=r1-ca name=r1} on-error={:delay 3}
/certificate/add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
:do {/certificate/sign [find name=r1-r2] ca=r1-ca name=r1-r2} on-error={:delay 3}
:delay 2
/certificate/export-certificate r1-ca file-name=r1-ca
/certificate/export-certificate r1 file-name=r1
/certificate/export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/pool/add name=r1-r2 ranges=192.168.1.2
/ip/ipsec/mode-config/add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add exchange-mode=ike2 local-address=192.168.2.14 name=peer1 passive=yes profile=profile1
/ip/ipsec/proposal/add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
/ip/ipsec/policy/add dst-address=192.168.1.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

r2:

/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
:delay 2
/ip/ipsec/mode-config/add name=cfg1 responder=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add address=192.168.2.14/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip/ipsec/policy/add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

Result:

09:02:34 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:283ba582c62ec4fa:57b2c5210d7931a4
09:02:34 ipsec,error can't get private key
09:02:34 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:283ba582c62ec4fa:57b2c5210d7931a4
09:02:36 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:1e4c321c0f62bbb0:b86fa5304054f5df
09:02:36 ipsec,error can't get private key
09:02:36 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:1e4c321c0f62bbb0:b86fa5304054f5df
09:02:37 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:005d4fe0daeadb1d:5319ddb77408abbb
09:02:37 ipsec,error can't get private key

I attached the command-history.txt and supout.rif files from stable chr-7.7.img where everything works and from chr-7.8beta2.img where it does not work.
Please, fix it.

pe1chl · Sat Jan 21, 2023 11:19 am

This is a disappointing release as 7.8, should have been 7.7.1.

When are we going to see Mikrotik address those critical route/switch features that most enterprises use.

While I agree with your point, of course this is NOT a release. It is not 7.8.
It is the first in a row of betas that will add more and more features, until finally we get a 7.8rc1 in about a month, and THEN it is time to complain that it again does not fix those features and issues.
However, like you I fear that this will again be the case by then. We get things like a disk manager, instead of some long awaited fixes in the basic functionality of a router.

pe1chl · Sat Jan 21, 2023 11:57 am

By now my hAP ac2 has only 1452 KiB of free space on the flash, with just the routeros package and a simple bridge mode AP only configuration.
Is that typical for this device, or is it time for a netinstall?

mkx · Sat Jan 21, 2023 1:26 pm

By now my hAP ac2 has only 1452 KiB of free space on the flash

My hAP ac2 (running 6.49.6, but nevertheless) has 696kiB of free space on flash. So nothing new for 7.8beta ...

woland · Sat Jan 21, 2023 2:22 pm

I have recently netinstalled my HAPac2 (maybe around the release of 7.4). I have 1,7MB free after the upgrade to 7.8. So a netinstall probably wont help much.

pe1chl · Sat Jan 21, 2023 3:37 pm

Thanks! I was worried that during one of the upgrades a couple of MB was left behind... I have another AP that is MIPSBE and it has 3800 KiB free, but apparently ARM code is a lot larger than MIPSBE.

mada3k · Sat Jan 21, 2023 3:48 pm

This is a disappointing release as 7.8, should have been 7.7.1.

When are we going to see Mikrotik address those critical route/switch features that most enterprises use. Specifically:

1. BFD fixed
2. BGP-VPNv4-VRF RR fixed
3. Something equivalent to Cisco DMVPN, HP DVPN, Meraki AutoVPN, or Fortinet ADVPN, etc.
4. EVPN
5. MPLS Fast Reroute
6. BGP Multi-path
7. L3HW off loading that is compatible with MLAG and VRRP
8. L3HW off loading for VXLAN
9. L3HW off loading for QinQ

Until those are delivered I can’t use Mikrotik in any medium or large US companies I support. Cant use it in the data center, can’t use it in the WAN edge, can’t use it in the LAN.

ROSE is nice but it’s not helping me get Mikrotik into the enterprise in the US.

I agree. I think Mikrotik has to decide what segment to focus on. Home users that demand bleeding-edge all-in-one boxes or enterprise that need proven solutions and functions.

"DMVPN" is such a killer feature in the enterprise world. VyOS has support for it since years.

BrateloSlava · Sat Jan 21, 2023 3:49 pm

9 cAP ac. Only two of them have 10% free space. The rest - from 5% to 8%. There are no user files in the memory of access points.
3 hAP ac2. Everyone has similar problems with free space.

On all devices, version 7.5 was installed via netinstall, then the usual update.

curtdept · Sat Jan 21, 2023 5:12 pm

Use of DHCP snooping on a bridge breaks IPV6 PD on an RB5009

dadaniel · Sat Jan 21, 2023 10:39 pm

It would be great if OVPN would get static key support soon. Can you please tell me what's the problem implementing this?

hecatae · Sat Jan 21, 2023 11:58 pm

Is that support for the Fibocom L850?

I've got one here I'm just curious about the fixed dialing mentioned

maigonis · Sun Jan 22, 2023 12:00 am

Nobody noticed wave2 CAPSMAN GUI is here?

As someone have already mentioned - how realistic is wave2 on 40xx devices?

mducharme · Sun Jan 22, 2023 12:22 am

As someone have already mentioned - how realistic is wave2 on 40xx devices?

I've been running wave2 at home since 7.7 with no complaints on a 4011 and an Audience, although I wasn't really using the 2.4ghz on the 4011 so I didn't really miss it.

If I did need the 2.4ghz I would be tempted to pick up a 2.4ghz radio that was compatible and switch out the one in the 4011 for that one.

ITDave · Sun Jan 22, 2023 12:33 am

I am not sure if anyone noticed but under IPv6 ICMP Packets seem to have a 30s timeout??
It would be nice to be able to alter the connection tracking separately for both IPV4 and IPV4

korzus · Sun Jan 22, 2023 12:44 am

On rb4011, with 2 wans interfaces, a wireguard tunnel is using both links very like as round robin balancing. Pretty weird.
Restored to 7.7rc5.

DarkNate · Sun Jan 22, 2023 2:34 am

Upgraded a hAP ax2 to this version and now I keep getting a log message on every reboot with this:
"error while running customized default configuration script: no such item"

Any way to fix this? Downgrading back to 7.7 stable, didn't fix it.

5GHz Wi-Fi is “running” but clients fail to connect, working fine on 7.7 stable.

korzus · Sun Jan 22, 2023 3:03 am

Have you tried reset with "no default configuration" option? Or even netinstall?

Upgraded a hAP ax2 to this version and now I keep getting a log message on every reboot with this:
"error while running customized default configuration script: no such item"

Any way to fix this? Downgrading back to 7.7 stable, didn't fix it.

5GHz Wi-Fi is “running” but clients fail to connect, working fine on 7.7 stable.

DarkNate · Sun Jan 22, 2023 3:10 am

Have you tried reset with "no default configuration" option? Or even netinstall?

Yes. No. I do not want to netinstall as that's what I just did 5 days ago with this new box using 7.7. It's a lot of efforts for bugs that should be fixed by MikroTik.

Jotne · Sun Jan 22, 2023 9:26 am

5 1/2 year and still no change in the logging prefix mess, that MT should look at.
viewtopic.php?t=124291

Please look at rfc 5424, released in mars 2009....

Znevna · Sun Jan 22, 2023 10:57 am

where's your ticket number and what does it have to do with the current release?

Jotne · Sun Jan 22, 2023 11:08 am

1. Ticket#2019071722004055] PS this are not the first one. Did not find the one form 2017(mail deleted), this one are from 2019
Newer ticket SUP-105353, and Mikrotik reads this forum as well.
3. This is a new mayor release, so new function can be added. Until fixed, I will ask for MT to do some thing with it.

It may not be an importante function for you, but if you run MT in a larger scale, logging is important.

Larsa · Sun Jan 22, 2023 11:24 am

"DMVPN" is such a killer feature in the enterprise world. VyOS has support for it since years.

in general called SD-WAN. This is implemented in v7 using ZeroTier.

alibloke · Sun Jan 22, 2023 11:33 am

I'm getting the following error on only one of my hAPax3's:

 jan/20 14:16:47 system,error,critical error while running customized default configuration script: invalid internal item number

pe1chl · Sun Jan 22, 2023 11:36 am

Upgraded a hAP ax2 to this version and now I keep getting a log message on every reboot with this:
"error while running customized default configuration script: no such item"

In the past this was often caused by renaming wlan interfaces in your local config (combined with programming errors in MikroTik's scripts).
E.g. when you rename wlan1 to wlan-2ghz because that is clearer to you, it will cause such failures.
Don't know if that mistake (of referring directly to wlan1 in scripts instead of something like [ find default-name=wlan1 ] ) still hasn't been fixed.

Maggiore81 · Sun Jan 22, 2023 12:03 pm

MT is currently missing a big point. Apart from routing features present in v6 that are not available on v7... they advertise the L3-HW that is BROKEN!
I have since 7.4 a support file, that is not fixed and they dindt give me any ETA for the fix.
We need every one hour to stop and restart the l3-hw engine on the CRS317. They are NOT READY for the isp business, but they ignore it.
SUP-95367 is still unfixed.

eworm · Sun Jan 22, 2023 2:27 pm

*) disk - limit maximum TMPFS size;

What is this limit? And is there a way to create a tmpfs with a sane default? Giving no size just fails now...

[admin@MikroTik] > /disk/add type=tmpfs 
failure: too much memory requested for tmpfs/ramdisk

dg1kwa · Sun Jan 22, 2023 2:37 pm

yeah, now DOM/DDM work on my hEX S (RB760iGS). Great job!

Znevna · Sun Jan 22, 2023 2:40 pm

It may not be an importante function for you, but if you run MT in a larger scale, logging is important.

Logging works fine unless you're trying some weird shit gathering data in splunk or whatever.

pe1chl · Sun Jan 22, 2023 3:00 pm

*) disk - limit maximum TMPFS size;
What is this limit? And is there a way to create a tmpfs with a sane default? Giving no size just fails now...

I suggest that you enable memory graphing and watch after a while what is the maximum amount of money consumed in your setup, and set the ramdisk so that it occupies less than the space that is always free.
I have added a ramdisk of size 800M on my RB4011 which has 1GB of RAM and typically 120MB in use.
Note that a ramdisk does not immediately occupy the space allocated to it. That happens only when it is filled with files.

pe1chl · Sun Jan 22, 2023 3:05 pm

5 1/2 year and still no change in the logging prefix mess, that MT should look at.

I agree that it is a mess and needs improvement, but I fear that making any change to how it is now will cause an even bigger mess in existing installations than we have now.
Probably things that could be changed with relatively low impact:
- add a new type of prefix, something like "err######" which is unique for every possible message in the system, where the ###### is a permanently assigned error number documented on the help site. allows matching of a single message type that you want to log (or not log).
- add a "regexp matching" capability in the log rules, that matches on the message content
- fix the remote logging so that the prefixes can (optionally) be sent in the BSD format, maybe via some way to add a script in a remote logging definition that can alter the logged message as per the operator preference.

Jotne · Sun Jan 22, 2023 3:31 pm

Logging works fine unless you're trying some weird shit gathering data in splunk or whatever.

No need to use bad words. Many people do use logging in various form, not only Splunk.
And following standard are always at better way to success.

@pe1chl
I do agree that a change may not be a good option. Add an extra option called for example rfc 5424 that would give the new and more standard format. This way user can select what to do and not break all the old stuff.

Amm0 · Sun Jan 22, 2023 3:48 pm

Agree with @pe1chl. Specifically, the prefix is only thing that helps find things today. So without the prefixes in remote/BSD logging, it's extremely difficult to search or read even since there is 0 context.

I'd add "don't use multi-line log entries" (DHCP being the worst oftener): one event, one entry.

eworm · Sun Jan 22, 2023 3:54 pm

Note that a ramdisk does not immediately occupy the space allocated to it. That happens only when it is filled with files.

Yes, I know that. That's why I am not really happy with the change. I want to place backup files and exports on tmpfs, generated from scripts.

Well, looks like using a third of total memory works on all devices... Probably using that then.

Sun Jan 22, 2023 9:43 pm

new "rose-storage"…ARM, ARM64, Tile and x86

Several comments:

The clients should be added to MIPS, since they need network storage the worst of all machine types. I don't care whether it's SMB, NFS, iSCSI, or nVME-over-TCP, all four, or some subset, but something would be welcome. I can live without the servers; pressing a hEX into service as an iSCSI server with its piddlin' USB 2.0 port would be mondo silly.
All of the "*-address" fields should be renamed to just "address". You can't use them together. You know the type of address from the "type" parameter already.
If you don't do that, then you've at least got a copy-paste error to fix: "add type=nfs iscsi-address=192.168.1.1"
Those wishing for RouterOS to become a competitive NAS using these features are dreaming, given its fixed RAID levels. There's nothing like the flexible RAID levels pioneered by Drobo, then copied by Synology, QNAP, Lacie, etc. There are uses for DIY fixed RAID, but in a world where we've got things like TrueNAS Core, I don't see this feature taking over any significant slice of the NAS market.

Znevna · Sun Jan 22, 2023 11:02 pm

Any MIPS devices with more than 16MB of storage?
Because of the great modularity options that RouterOS provides you can't fit that package on such little storage.

Sun Jan 22, 2023 11:50 pm

Any MIPS devices with more than 16MB of storage?

With a little sorting on the product matrix, I count 32 products. Compressing it to product families, we get:

BaseBox 2, 5, 6
CRS109-8G-1S-2HnD-IN
CRS125-24G-1S-2HnD-IN
KNOT LR8 & LR9 kits
mANTBox 15s & 19s; mANTBox 2 12s
NetBox 5
NetMetal 5 series
QRT 5 series
RB2011 series
RB911, 912, 922, and 951 series
SXT SA5 series

I don't know how to quickly verify which ones are both in production and have ready stock, but there are some familiar pieces on that list such as the venerable CRS109 and RB2011.

you can't fit that package on such little storage.

My understanding is that MIPS boxes have under 2 MB of flash free these days. I looked at the ARM package, and it's nearly 4 MB. However, I did say it should be pared down to the clients alone. That might be enough, and if not, then you take the next step and remove them in fattest-to-slimmest order until you get under the limit. I suspect "nVME-over-TCP" is the slimmest, but whatever it turns out to be, one is better than none.

105547111 · Mon Jan 23, 2023 4:40 am

Confirmed the SSTP bug is fixed and resolved :-)

Mon Jan 23, 2023 7:05 am

Nobody noticed wave2 CAPSMAN GUI is here?

I just have been toying with it.
Experienced complete crash on AC3 when enabling capsman.
Log files after reboot seem to indicate system and wave2 package were installed. Again ?

It did not happen again afterwards so maybe a glitch ?

murrayis · Mon Jan 23, 2023 7:08 am

@mikrotik - Why the delay on BFD - It's time to be real!

BFD is far more important than adding RAID/iSCSI/NFS support to a "Router"

Mon Jan 23, 2023 10:08 am

Several comments:

Thanks noted.

pe1chl · Mon Jan 23, 2023 11:59 am

The storage package needs a lot more doc. It seems that it is possible to mount an iSCSI volume, and to export an NFS volume, but is it also possible to mount an NFS shared directory from another system? I do not see the parameter to specify the server path. As in:
mount -t nfs server:/path /mountpoint
type nfs and mountpoint are clear.

arm920t · Mon Jan 23, 2023 12:25 pm

may you elaborate little bit further?
*) x86 - fixed SR-IOV support for Intel X710 series NIC;

we use them and the only issue is the fact that we must use only auto about cpu irq interface queue. Is it something about?

Same problem here.Only read-only irq for xxv710 nic.

rpingar · Mon Jan 23, 2023 12:30 pm

may you elaborate little bit further?
*) x86 - fixed SR-IOV support for Intel X710 series NIC;

we use them and the only issue is the fact that we must use only auto about cpu irq interface queue. Is it something about?
Same problem here.Only read-only irq for xxv710 nic.

yes and the strange think is that one queue is used a lot more the others, loading manly one core.

hecatae · Mon Jan 23, 2023 12:39 pm

Chateau LTE12 updated without issue.

Mon Jan 23, 2023 12:48 pm

mount -t nfs server:/path /mountpoint

nfs-share=...
documentation is still in progress

Amm0 · Mon Jan 23, 2023 1:09 pm

Just tried rose-storage. Using 2 SATA-III SSDs inside RB1100, I can at least create a "mirrored disks" (RAID 1). So that part works!

But noticed several things:

1. Files window in winbox still shows a "sata1-part1", even though that doesn't exist. The raid volume does show up e.g. raid1-part1 okay however.

2a. Setting the slot= on a raid partition, doesn't persist reboot. e.g. I'd set the slot=disk1, but after reboot comes back as default raid1-part1.
2b. Similar nfs-export and smb-export also don't seem to persist reboot.

3. Could NOT mount RouterOS ROSE disks using NFS Mac after using nfs-export=yes - tried various things: Finder using URL, Terminal using mount, using both :/ and :/raid1-part1 in path – nothing obvious seem to work and docs less helpful here.

4. The relationship with existing /ip/smb is unclear. I do NOT have /ip/smb enabled, but did try smb-export=yes in /disks. Similar issues to NFS - couldn't figure out any way to mount. Only thing that got close was if I add smb-share=/disk1, then MacOS prompts for a password when using smb://<MT_IP>/disk1 - but neither using "Guest" or "Registered User" with ROS creds failed so no mount. If you set smb-user=/smb-password=, then it doesn't even prompt for a password on MacOS and doesn't work either - but those seem more to mount a SMB volume on RouterOS (I'm was trying to share the ROSE disk as SMB share)

Basically I have a working mirrored disk, that cannot be renamed or shared. RAID alone is still useful, but clearly some better docs and/or bug fixes might be needed...

mada3k · Mon Jan 23, 2023 1:53 pm

I would wait until they actually releases any SAN/NAS hardware, or else it's pointless (since it exists so many NAS platforms for generic x86 already)

in general called SD-WAN. This is implemented in v7 using ZeroTier.

Thats properitary and requires a central controller somewhere, and can't co-exist with regular routing.

dcavni · Mon Jan 23, 2023 3:29 pm

Can Wave 2 CAPSMAN also control non Wave2 Wifi interfaces (devices)?

rextended · Mon Jan 23, 2023 3:33 pm

Mon Jan 23, 2023 3:37 pm

Small nuance:
NO as it is right now.
But it has been stated the possibility might come in the future that both legacy and wave2 capsman could be integrated in one solution. ETA ? Crystal ball needed ...

dcavni · Mon Jan 23, 2023 3:39 pm

That's a bit sad, since i have 6 non Wave 2 devices and two Wave 2 (AC3), that will now be replaced by RB5009 and left as an AP. So no way to put them on the same network. It is what it is.

Mon Jan 23, 2023 3:41 pm

You can still put them on the same network.
But you will need 2 different CAPSMAN controllers for the time being: one for legacy, one for wave2 (and if you also want redundancy, multiply by 2).
Like you say: it is what it is.

dcavni · Mon Jan 23, 2023 3:46 pm

I know that, but in this case, phones won't seamlessly switch from one device to another.

Mon Jan 23, 2023 3:52 pm

Even with APs within the same capsman constellation, there is no seamless switch.
I believe you need roaming parts of the wifi-specs for that to happen. It's being worked on but not fully implemented yet (as it is now to my knowledge, only within same AP = from 2.4 to 5Ghz and vice versa if same SSID is used. Unless I missed something in the latest versions in that context.).

dcavni · Mon Jan 23, 2023 3:59 pm

Not realy sure. When i tested this with PING from my phone i moved from one AP to another and PING didn't drop inbetween. But sometimes i notice, that phone doesn't switch to another AP when it should. Especialy this is noticable when doing WiFi calling and call drops.

mkx · Mon Jan 23, 2023 4:02 pm

capsman currently doesn't improve roaming experience of wireless clients. capsman2 might (and hopefully will in the future). If you configure APs with same security profile (replicate it on APs directly or in other capsmans) and make sure resulting wireless interfaces are part of same L2 network (e.g. served by same DHCP server without resorting to DHCP relay or anything similarly redundant), then client roaming experience will be the same whether APs are provisioned by same capsman or if they are configured individually.

Eitehr way, it's up to client to decide when it wants to switch, newer standards (802.11 r/k/v; only /r is implemented in wifiwave2 driver and works between radios of same AP) assist client by providing more information (k/v) and by allowing faster registration to target radio (r). When everything works as designed, then switch is very fast and user normally doesn't notice it.

pe1chl · Mon Jan 23, 2023 4:06 pm

... but it will never be as fast as with some competing products that provide "seamless roaming", i.e. the entire installation operates as a single AP MAC address on a single channel.

Znevna · Mon Jan 23, 2023 4:09 pm

the entire installation operates as a single AP MAC address on a single channel.

I hope this is one of your jokes.

mkx · Mon Jan 23, 2023 4:14 pm

the entire installation operates as a single AP MAC address on a single channel.
I hope this is one of your jokes.

Nope, it's real.

llag · Mon Jan 23, 2023 4:18 pm

Important note!!!

Version is not recommended on CRS3xx devices.

Changes in this release:

What are the limitations for the CRS3xx devices that cause this version not to be recommended?

Znevna · Mon Jan 23, 2023 4:19 pm

I hope this is one of your jokes.
Nope, it's real.

example?

pe1chl · Mon Jan 23, 2023 4:54 pm

the entire installation operates as a single AP MAC address on a single channel.
I hope this is one of your jokes.

No, really. There are manufacturers that offer a WiFi where there is only a single AP MAC for the controller, all APs listen on the same frequency and the same MAC, the traffic they receive is forwarded to the controller together with a signal strength value (RSSI), and the controller keeps the location of the strongest received signal so when they need to transmit data it can be sent via the AP where the signal is strongest.
With such a system there is no real roaming, it is just like a large single-frequency diversity system. There are absolutely no interruptions due to roaming.
But of course the fact that there is a single channel can limit the performance. However, more modern systems can operate several channels in parallel each with this system, so the users will be distributed over different channels.

Znevna · Mon Jan 23, 2023 5:02 pm

Please provide an example of a manufacturer currently advertising such a feature.

Dude2048 · Mon Jan 23, 2023 5:30 pm

Fortinet is one https://www.fortinet.com/blog/industry- ... cell-wi-fi

Mon Jan 23, 2023 5:35 pm

Fortinet is one https://www.fortinet.com/blog/industry- ... cell-wi-fi

which comes from acquisition of Meru Networks

sirbryan · Mon Jan 23, 2023 6:15 pm

Just tried rose-storage. Using 2 SATA-III SSDs inside RB1100, I can at least create a "mirrored disks" (RAID 1). So that part works!
...
3. Could NOT mount RouterOS ROSE disks using NFS Mac after using nfs-export=yes - tried various things: Finder using URL, Terminal using mount, using both :/ and :/raid1-part1 in path – nothing obvious seem to work and docs less helpful here.

4. The relationship with existing /ip/smb is unclear....

It feels to me that, at least at this stage, it's meant more for router-to-router use, particularly for containers on diskless devices. I couldn't get a router to mount an iSCSI target from my TrueNAS box. I tried NFS and Samba from the 2116 to my Mac too. I couldn't get anything to work the way one would expect to another computer.

I then loaded 7.8b2 on a hAP AC3 and connected it to the 2116 using NFS and it worked immediately. However, when trying to connect the hAP to the 2116 via iSCSI, the hAP just hung. Now, even after a reboot, it hangs when trying to export or print the disk config. I can't even remove it, so I'll have to reset it and try again.

[Edit] Turns out NFS works with Linux and macOS, provided you have the correct options: viewtopic.php?p=979643#p979643

fragtion · Mon Jan 23, 2023 6:26 pm

*) container - fixed file ownership after system upgrade for containers running on internal disk;
*) container - fixed multiple container automatic startup on boot;

Yes - finally!! Confirmed fixed, Thanks!!

Rox169 · Mon Jan 23, 2023 6:32 pm

Hi,
I appreciate storage management but at the moment Im not able to use SAMBA on 7.7 stable with my camers HIKVISION: I have already sent (SUP-104510) but no solution yet. I have hAP AX3 and I would like to use it as SAMBA server for my cameras but I have to keep old ASUS router with 1GB HDD to be able save vidoes from Cameras.

MIKROTIK PLEASE TAKE THIS SUP SERIOUSLY THERE ARE MILIONS OF HIKVISION CAMERAS AROUND THE GLOBE.

sirbryan · Mon Jan 23, 2023 7:01 pm

I got MacOS to mount the NFS share:

sudo mkdir /Volumes/2116/
sudo mount -t nfs -o vers=4,hard,bg,intr,resvport,rw 192.168.x.x:/nvme1 /Volumes/2116/

I also got it to auto mount the share:

# add to /etc/auto_master if you don't already have it
/-			auto_nfs	-nobrowse,nosuid

# create /etc/auto_nfs, then add this line for Catalina and later; 2116 is the name of my share, change it to what you want
# nvme1 is my disk's name on the 2116
/System/Volumes/Data/../Data/Volumes/2116	-fstype=nfs,vers=4,hard,bg,intr,resvport,rw  nfs://192.168.x.x/nvme1/

aussetg · Mon Jan 23, 2023 8:09 pm

> supporting disk monitoring, improved formatting, RAIDs, iSCSI ,NVMe over TCP,

Mmmm the PCIe CCR2004 will probably get much more interesting ;)

pe1chl · Mon Jan 23, 2023 10:15 pm

I got the NFS mount working. However, there apparently are no error messages. So when I configured something incorrectly, it just silently accepted the "add" and then in showing the status the nfs line would not show the M status. I would have expected an error in the log indicating the failed mount, but there wasn't any.

sirbryan · Tue Jan 24, 2023 5:54 am

I got one of these for my lab CCR2116 (Orico M.2 NVMe to SATA Expansion Card):

61kz--cHiLL._AC_SL1200_.jpg

Here's what it looks like installed (top is off, sitting in rack):

IMG_0015.jpg

I hooked up a Kingston 256GB SSD that I had in an enclosure and powered it via a separate power supply.

Flags: B - BLOCK-DEVICE; M, F - FORMATTING; p - PARTITION
Columns: SLOT, MODEL, SERIAL, INTERFACE, SIZE, FREE, FS, RAID-MASTER
#     SLOT               MODEL             SERIAL             INTERFACE                 SIZE             FREE  FS    RAID
0     pcie1              SATA Controller                      PCIe 2x8 GT/s                                          none
1 B   pcie1-sata1        KINGSTON SH103S3  50026B73XXXXXXXX   SATA 6.0 Gbps  240 057 409 536                         none
2 BMp pcie1-sata1-part1                    @512-240057409536                 240 057 409 024  235 152 457 728  ext4  none

Exported it via NFS, mounted the NFS share on my Mac, and with Blackmagic Disk Speed Test, I'm getting 136MB/s write, 496MB/s read (specs claim 555MB/s read, 510MB/s write).

I've ordered a 6-bay SSD 2.5" chassis to hook up to this thing to experiment with RAID and with exporting drives and/or partitions to diskless routers for containers, particularly my 2004's with 4GB of RAM.

Now if I could only find a way to route those cables straight out a whole in the back and put the lid back on...

DanielTheFox · Tue Jan 24, 2023 6:45 am

Does RouterOS support TRIM/UNMAP?

rpingar · Tue Jan 24, 2023 9:47 am

for us 7.8beta2 still has critical pppoe server issues:
- after 48h the pppoe-servers (more 10.000 servers on the box) crashe and let the dynamic pppoe queues go invalid (reboot needed)
- some time the dynamic pppoe-client interface doesn't go running (you can manually remove them and let the client router to reauthneticate)
[SUP-97493] updated with all the supout and autosupout generated

Phaere · Tue Jan 24, 2023 11:01 am

Nice
New storage and container fixes for routers
No core routing (BFD,EVPN, buggy VPN4) functionality for routers
Nice. No more words, sorry

pe1chl · Tue Jan 24, 2023 11:39 am

Now if I could only find a way to route those cables straight out a whole in the back and put the lid back on...

Guscht · Tue Jan 24, 2023 3:17 pm

We get things like a disk manager, instead of some long awaited fixes in the basic functionality of a router.

Thats is a development I dont really like. There are TONS of bug in basic stuff and they come up with docker and some kind of strogae manager.

sirbryan · Tue Jan 24, 2023 4:30 pm

I had something more elegant in mind, like a drill and hole saw. But the plugs are also too tall for the lid. Right-angle SATA ends would work for one or two, but I wonder if they have any that come off sideways…

Those that are frustrated with the seemingly useless features being released need to realize that most of this stuff they’re “adding” comes with Linux anyway. The other stuff we want (BFD et al) have to be written or rewritten.

While I agree there needs to be focus on high priority issues that we feel have long been overlooked (I miss BFD too), I wager there are several developers/development teams all working on different pieces of the stack. Some of it is harder to implement, some of it is super easy. I don’t expect the data center/devops guys to be BGP/BFD/SDN wizards, nor would I expect the GUI guys to be experts in embedded systems.

As a former CIO/CTO and now as a service provider and home user/tinkerer, I welcome it all. I’ve always considered RouterOS the Swiss Army Knife in this industry.

cdemers · Tue Jan 24, 2023 4:39 pm

@sirbryan something like this? Is there enough clearance for the cables to go off to the side?
https://www.startech.com/en-ca/cables/sata12rsa1

Znevna · Tue Jan 24, 2023 4:43 pm

Nice
New storage and container fixes for routers
No core routing (BFD,EVPN, buggy VPN4) functionality for routers
Nice. No more words, sorry

Those modules present in "rose-storage" are all modules that required just to be enabled in the linux kernel, and the MikroTik team added some options to control them. Everything else that isn't upstreamed in the kernel yet isn't that easy to add.

Tue Jan 24, 2023 5:08 pm

Bugs and things like BFD have no "enabled=yes" switch in RouterOS configuration files, sorry. It is easy to add some basic things, but there are complex things that need to be made from 0.

depth0cert · Tue Jan 24, 2023 5:13 pm

Please, check 7.8beta2 bug with ipsec,error can't get private key SUP-105306
viewtopic.php?t=192810#p979168

Amm0 · Tue Jan 24, 2023 5:37 pm

Please, check 7.8beta2 bug
SUP-105306

It help more people if you at least post the title/bug summary here. If everyone simply put the SUP#'s to check, the forum be way less useful.

sirbryan · Tue Jan 24, 2023 5:42 pm

@sirbryan something like this [Startech Side Angle SATA cable]? Is there enough clearance for the cables to go off to the side?

Those are too tall for the lid, and they'd hit the heat sink shroud.

But these low-profile, lateral SATA cables should do the trick:

https://silverstonetek.com/en/product/i ... ries/CP11/
https://www.youtube.com/watch?v=H76CKNc_stw&t=216s

cp11-34-1.jpg

pe1chl · Tue Jan 24, 2023 5:51 pm

The rose-storage module also has command additions in /file/sync.
However that is completely undocumented and not so easy to figure out...

pe1chl · Tue Jan 24, 2023 5:55 pm

Bugs and things like BFD have no "enabled=yes" switch in RouterOS configuration files, sorry. It is easy to add some basic things, but there are complex things that need to be made from 0.

By now it becomes more like "WE determine how long you can do without BFD!". It has been a "work in progress" for a year and a half, and thus it cannot be explained by "it is a complex thing to make" anymore.
I wonder how many hundreds of man-hours the BFD feature has been estimated to take, and how many of those have already been spent.

Tue Jan 24, 2023 5:57 pm

please comment ROSE package in designated topic viewtopic.php?t=192888

leonardogyn · Tue Jan 24, 2023 7:14 pm

Not specific to 7.8b2, but seems to affect it. Starting from v7.7, it seems the dns resolver has a memory leak that eats up all the Mikrotik memory until the RouterOS crash and reboots. Not all are affected, but all affected confirmed to be providing DNS services for client devices.

If you're running 7.8 and providing DNS services for your connected networks, watch out for your box memory usage! This is really bad specially for the low-memory spec models, but seems to affect a variety of different models. Those with more RAM will just take longer to crash and (luckly) reboot.

viewtopic.php?t=192427#p979415

benkreuter · Tue Jan 24, 2023 8:39 pm

Bugs and things like BFD have no "enabled=yes" switch in RouterOS configuration files, sorry. It is easy to add some basic things, but there are complex things that need to be made from 0.

At this point the lack of BFD support is inexcusable. There is clear demand from users, it was previously implemented in RouterOS, it is implemented in competing stacks, and there are common situations for which no reasonable workaround exists. BFD is relatively simple compared with OSPF (though the v7 implementation of OSPF leaves a lot to be desired) so it is hard to understand why it is still missing and apparently receiving no attention whatsoever.

Is there even a plan to implement basic features like BFD? Is there anyone even working on this?

mada3k · Tue Jan 24, 2023 9:35 pm

No core routing (BFD,EVPN, buggy VPN4) functionality for routers

Would be nice to have an alternative to hideously expensive Cisco/Juniper/Arista EVPN switches instead of relying on spanning-tree.

jbl42 · Tue Jan 24, 2023 10:35 pm

Bugs and things like BFD have no "enabled=yes" switch in RouterOS configuration files, sorry

Sorry Normis, but writing nonsense like "there is no enabled=true for BFD" after 18+ months of claiming to work on it is just pathetic.
If 18 months is not enough for MikroTik to bring BFD from ROS6 to ROS 7, probably serious routing is to complex for MikroTik and you should focus on SOHO routers.

Especially now as there are expensive beasts like CCR2116. Clearly made for large table routing with l3hw offload.
Why would I buy such an expensive box with bug ridden l3hw offload, plenty of IPv6 issues and no BFD? Our CCR2116 gathers dust in the lab as it is is clearly not fit for its intended purposes with current state of ROS7.

I start to think CCR2116 is not available anywhere because MT is embarrassed by the state of serious routing features in ROS7.
What about having different ROS versions for SOHO boxes and serious routers? So one team can work on nerdy-stuff like containers and similar and another team can work on finally fixing and implementing basic routing stuff for CCR2x16 boxes?

uCZBpmK6pwoZg7LR · Wed Jan 25, 2023 10:09 am

pls fix BGP-VRF-VPNv4 - working with RR

Agree. This issue is upgrade blocker cannot migrate due to it to ROS 7.

Wed Jan 25, 2023 1:37 pm

It is already fixed in v7.7 and v7.8betas

clambert · Wed Jan 25, 2023 9:13 pm

Great news!

mada3k · Wed Jan 25, 2023 9:59 pm

What about having different ROS versions for SOHO boxes and serious routers? So one team can work on nerdy-stuff like containers and similar and another team can work on finally fixing and implementing basic routing stuff for CCR2x16 boxes?

I tend to agree. I can see that making RouterOS interface for mdadm/mkfs/iscsid/etc.. is low hanging fruit.. but why?

No one in their right mind buys a $995 router to play with containers. You buy a Mini-PC or some second hand Dell/HPE to play with virtualization and containers.

sirbryan · Thu Jan 26, 2023 4:58 am

No one in their right mind buys a $995 router to play with containers. You buy a Mini-PC or some second hand Dell/HPE to play with virtualization and containers.

<Raises hand> Um, I have six 2116's and just bought two more.</hand down> I also have a farm of NUCs, Mac Mini's, and Mac Pro 5,1's running ESXi or macOS, backed by TrueNAS storage.

For the same money I spent on my NUCs, the 2116 has more cores, similar RAM & storage, 40Gbps of connectivity into a Layer 3 switch with 16 ports, redundant power supplies, all in a rack mount case. And it can switch and route a heck of a lot more data.

Until containers came out for MikroTik, I didn't really have any experience with them, since most of my apps run on dedicated hosts or in VM's. Now I'm in the process of migrating much of what I ran on my Mac Pro ESXi host at home office onto my 2116, allowing me to save power and space and eventually decommission my Xeon servers.

With all the complaints about The DUDE dying or lacking in development (and the fact that it's stuck on Windows only), I can build or deploy the NMS of my choice, including sensors, on any number of RouterOS devices, with modern interfaces and customizable code.

nichky · Thu Jan 26, 2023 5:02 am

It is already fixed in v7.7 and v7.8betas

@mrz
doesn't work on v7.7, defiantly

FattyAcid · Thu Jan 26, 2023 5:57 am

"DMVPN" is such a killer feature in the enterprise world. VyOS has support for it since years.

in general called SD-WAN. This is implemented in v7 using ZeroTier.

This will be my last post on this as it's getting off-topic, but ZeroTier is a pretty basic SD-WAN and is in no way equivalent to the capabilities, flexibility, and scalability of SD-WAN from vendors like Cisco-Viptela, Palo Alto-CloudGenix,VMware-VeloCloud, Fortinet SD-WAN, etc.

Cisco DMVPN, HP DVPN, and Fortinet ADVPN can be used in a non-SD-WAN configuration/context as they predate SD-WAN and aren't a requirement for SD-WAN. For example, Fortinet SD-WAN can be used in conjunction with Fortinet ADVPN or without depending on your use cases. As another example, Cisco-Viptela/IOS-XE SD-WAN is an entirely separate feature/product from DMVPN.

ZeroTier is sufficient for some basic home/SOHO/small business deployments/use cases--that's about it. MikroTik + ZeroTier is no way a substitute for DMVPN or real SD-WAN.

FattyAcid · Thu Jan 26, 2023 6:00 am

It is already fixed in v7.7 and v7.8betas

Can you please elaborate? What is fixed in v7.7 and v7.8 betas.

markonen · Thu Jan 26, 2023 9:46 am

Can you please elaborate? What is fixed in v7.7 and v7.8 betas.

No he can't, because that would be excessive quoting.

Larsa · Thu Jan 26, 2023 10:19 am

This will be my last post on this as it's getting off-topic, but ZeroTier is a pretty basic SD-WAN and is in no way equivalent to the capabilities, flexibility, and scalability of SD-WAN from vendors like Cisco-Viptela, Palo Alto-CloudGenix,VMware-VeloCloud, Fortinet SD-WAN, etc.

mpvpn, meshvpn, sd-wan... same, same different name. I've used many of them thus the core functionality (l2/l3, end2end encryption, etc) and performance is more or less exactly the same.

What differs is deployment, administration and how well they jack into repective brands legacy system. I'd say the zt admin interface and api would fit any size as the client preparation process is the key factor that makes the difference in how well a large scale deployment will work (as always).

jvanhambelgium · Thu Jan 26, 2023 10:23 am

This will be my last post on this as it's getting off-topic, but ZeroTier is a pretty basic SD-WAN and is in no way equivalent to the capabilities, flexibility, and scalability of SD-WAN from vendors like Cisco-Viptela, Palo Alto-CloudGenix,VMware-VeloCloud, Fortinet SD-WAN, etc.

mpvpn, meshvpn, sd-wan... same, same different name. I've used many of them thus the core functionality (l2/l3, end2end encryption, etc) and performance is more or less exactly the same.

What differs is deployment, administration and how well they jack into repective brands legacy system. I'd say the zt admin interface and api would fit any size as the client preparation process is the key factor that makes the difference in how well the deployment will work (as always).

MT will never play any role in any SDWAN unless the boxes can understand & detect (many) application and steer accordingly.

Larsa · Thu Jan 26, 2023 10:42 am

MT will never play any role in any SDWAN unless the boxes can understand & detect (many) application and steer accordingly.

Well, for one, MT doesn't drive the sd-wan market, they just adopted and implemented an existing open solution. Please feel free to elaborate what you mean by "unless the boxes can understand & detect (many) applications and steer accordingly." Btw, since this topic has nothing to do with v7.8Beta, please continue this discussion in another thread. I'll join you there in that case.

Znevna · Thu Jan 26, 2023 12:15 pm

It is already fixed in v7.7 and v7.8betas
Can you please elaborate? What is fixed in v7.7 and v7.8 betas.

Everything mentioned in the changelogs.

spippan · Thu Jan 26, 2023 12:29 pm

MT will never play any role in any SDWAN unless the boxes can understand & detect (many) application and steer accordingly.

despite being OT but SDWAN does not have anything to do with application detection.
on the other hand, maybe this is just a misunderstanding as your wrote it

woland · Thu Jan 26, 2023 12:42 pm

despite being OT but SDWAN does not have anything to do with application detection.

Of course it has! The selling point of SDWAN: it can replace great quality leased lines / MPLS by redundant cheap Internet uplinks. To achieve this you want to measure the quality of your cheap links and send important stuff over the better lines, while sending the rest of it over the worse lines.
You should also be able to direct for example every o365 directly to the cloud and not passing it through your central hub. Believe me, while this is possible to achieve manually, you just want the box to "know" what o365 traffic is.

nichky · Thu Jan 26, 2023 12:49 pm

@Znevna

Everything mentioned in the changelogs

@mrz -said that RR has been fixed

Have u seen that at the changelogs?

buset1974 · Thu Jan 26, 2023 12:54 pm

It is already fixed in v7.7 and v7.8betas

Can u explain more exactly what you have fixed for bpg vpn4?
It still have problem with best path calculation?

Thx

mada3k · Thu Jan 26, 2023 1:01 pm

Some SDWAN solutions can detect protocols, hostnames & applications and take decision what path it should take. It's great for it's purpose, but often proprietary.

<Raises hand> Um, I have six 2116's and just bought two more.</hand down> I also have a farm of NUCs, Mac Mini's, and Mac Pro 5,1's running ESXi or macOS, backed by TrueNAS storage.

For the same money I spent on my NUCs, the 2116 has more cores, similar RAM & storage, 40Gbps of connectivity into a Layer 3 switch with 16 ports, redundant power supplies, all in a rack mount case. And it can switch and route a heck of a lot more data.

Until containers came out for MikroTik, I didn't really have any experience with them, since most of my apps run on dedicated hosts or in VM's. Now I'm in the process of migrating much of what I ran on my Mac Pro ESXi host at home office onto my 2116, allowing me to save power and space and eventually decommission my Xeon servers.

With all the complaints about The DUDE dying or lacking in development (and the fact that it's stuck on Windows only), I can build or deploy the NMS of my choice, including sensors, on any number of RouterOS devices, with modern interfaces and customizable code.

Sound really affordable to use Mac's as VMware hosts.

It can't be that heavy workloads if you can replace them with some ARM boxes with 16G of RAM.

Amm0 · Thu Jan 26, 2023 1:22 pm

SDN means something different to everyone (to me, it's a buzzword for not following the standard/RFCs and ignoring ISO layer seperation). But "SDN" is not claimed to be supported by v7.8beta, so it's not a bug or regression.

Please keep this forum topic strictly related to this particular RouterOS release.

Mikrotik started a different thread soliciting feedback on the topic a while back,: viewtopic.php?t=186352
that seems better place for this SDN discussion.

pe1chl · Thu Jan 26, 2023 4:08 pm

Believe me, while this is possible to achieve manually, you just want the box to "know" what o365 traffic is.

That is not something a generic router can do. You need to buy a special box that has a maintenance contract to provide you with the dynamic information required for that.

uCZBpmK6pwoZg7LR · Thu Jan 26, 2023 4:52 pm

It is already fixed in v7.7 and v7.8betas
Can u explain more exactly what you have fixed for bpg vpn4?
It still have problem with best path calculation?

Thx

It was fix of issue
that MT send reflected route back to sender with own self as nexthop . Due to it sender installed reflected route which it got from reflector and bgp session was broken . In moment when bgp session broken it again established bgp session and again send own routes which were reflected back to sender. it was binded with MP_REACH_NLRI
This is a copy of my support ticket i create to fix this issue

ROS 7 ibgp rr - ROS 6 ibgp .

Ros 6 establish connection and send update (MP_REACH_NLRI) with NLRI nexthop self ip (for example 10.29.193.134 )to ROS 7 RR

ROS 7 RR send back MP_REACH_NLRI with own self ip (for example 10.29.192.19 ) address and of course it also not care about propagate flag which also not right.

due to it ROS 6 reply MP_UNREACH_NLRI and ROS 7 reflect it back as well .

After it whole cycle repeat endless.

I attached wireshark capture , sipout from hub. and some screens which illustrate issue. 1 screen from ROS7 which show setting and 2 screens from ROS 6 where visible endless looped updates and export / import vrf rd.

sirbryan · Thu Jan 26, 2023 5:57 pm

Sound really affordable to use Mac's as VMware hosts.

It can't be that heavy workloads if you can replace them with some ARM boxes with 16G of RAM.

The sarcasm does little to bolster your point. Those machines were made in 2009/2012 and ran through their useful macOS lifetime years ago.

Who said anything about a heavy workload? Your argument is that "nobody in their right mind" buys MikroTik to experiment with containers. I'm telling you I just did, for all the reasons listed previously. For my purposes, the CCR2116 is a better value than an i7 NUC.

I've been doing this for 25 years. Hardware/Software vendors see a much bigger picture than what 20-30 vocal people on an Internet forum thread see. In the case of containers (7.6) and storage (7.8), exposing more of the Linux ecosystem in RouterOS makes each box that much more powerful, and makes customers like me want to buy more of their product for additional purposes. And the work one (or two) people are doing to create a wrapper around existing things isn't taking anybody away from the more pressing problems with BGP, BFD, etc.

To bring it back on topic, I have one 2116 in production running 7.8b2, and it's working fine. The 2116 and AX3 in the lab are also working fine. No problems to report (yet).

woland · Thu Jan 26, 2023 6:26 pm

That is not something a generic router can do. You need to buy a special box that has a maintenance contract to provide you with the dynamic information required for that.

:) And yet most of ASRs & ISRs of the biggest router vendor support it... search for "SD-WAN Application Intelligence Engine"
Sincere apologies! I swear this is my last OT message in this thread!

FattyAcid · Thu Jan 26, 2023 9:59 pm

Believe me, while this is possible to achieve manually, you just want the box to "know" what o365 traffic is.
That is not something a generic router can do. You need to buy a special box that has a maintenance contract to provide you with the dynamic information required for that.

What is a generic router? Even Mikrotik routers aren't "generic".

FortiNet FortiGate firewalls can do NGFW, IPS, UTP, SD-WAN, BGP and OSPF. And SD-WAN doesn't require a license or maintenance contract.

Cisco routers can do SD-WAN now too; it's an additional license but it's the same platforms. And the can both identify Office365. What does generic mean again?

Znevna · Thu Jan 26, 2023 10:09 pm

Since you have so many options to choose from, why don't you go with that vendor instead of barfing offtopic in the MikroTik Forums in all release topics?

nevolex · Fri Jan 27, 2023 3:40 am

Still no hardware acceleration for OpenVPN tunnel and IPQ-6010 processor (hAP ax3)

is that actually supported ?

Larsa · Fri Jan 27, 2023 11:40 am

What is a generic router? Even Mikrotik routers aren't "generic". FortiNet FortiGate firewalls can do NGFW, IPS, UTP, SD-WAN, BGP and OSPF. And SD-WAN doesn't require a license or maintenance contract. Cisco routers can do SD-WAN now too; it's an additional license but it's the same platforms. And the can both identify Office365. What does generic mean again?

You are mixing up L7 firewalls and IDPS (intrusion detection and prevention systems) with routers. And the way you throw around acronyms, it's hard to tell if you even know the difference.

All types of application awareness are becoming increasingly difficult to achieve these days due to web-based applications and end-to-end encryption, you are left with just IP addresses and port numbers to play with. And for the same reason you can forget about "dynamic application routing" based on L7 filtering.

hzdrus · Fri Jan 27, 2023 12:28 pm

MT is currently missing a big point. Apart from routing features present in v6 that are not available on v7... they advertise the L3-HW that is BROKEN!
I have since 7.4 a support file, that is not fixed and they dindt give me any ETA for the fix.
We need every one hour to stop and restart the l3-hw engine on the CRS317. They are NOT READY for the isp business, but they ignore it.
SUP-95367 is still unfixed.

Hi, can you elaborate a bit more on the scenario where you're facing this issue? I was considering to use CRS317 for a basic L3 routing with OSPF ...

spippan · Fri Jan 27, 2023 12:56 pm

You are mixing up L7 firewalls and IDPS (intrusion detection and prevention systems) with routers. And the way you throw around acronyms, it's hard to tell if you even know the difference.

All types of application awareness are becoming increasingly difficult to achieve these days due to web-based applications and end-to-end encryption, you are left with just IP addresses and port numbers to play with. And for the same reason you can forget about "dynamic application routing" based on L7 filtering.

thank you for phrasing that out the way you did - that was the point why i mentioned SDWAN does not have to do anything with app-detection in it's basic implementation.
that is more for IDPS topics as you wrote.

SDWAN in its core functionallity mostly is a deployment and configuration/administration system based on overlay a software (mostly a central controler) over a underlying L2/L3 network for the most part. everything else are additional "features" to a SDWAN/SDN deployment/setup

... enough off-topic -> SDN stuff over there to be discussed :-D viewtopic.php?t=186352

pe1chl · Fri Jan 27, 2023 12:58 pm

All types of application awareness are becoming increasingly difficult to achieve these days due to web-based applications and end-to-end encryption, you are left with just IP addresses and port numbers to play with. And for the same reason you can forget about "dynamic application routing" based on L7 filtering.

It will not be long before "destination port number" will be a constant that is always 443. We can get a new version of TCP that omits it.
When you have a VPN where you want to route certain traffic (like realtime voice) over different tunnels than other traffic (like large file transfers) you might get away with identifying traffic during the session setup, using techniques like the L7 matcher and the TLS host matcher, then mark the connection and route it differently. But that has no use when routing Office365, where your decision is not "which tunnel between branches do we select" but rather "which internet connection do we select for the outgoing connection".
By the time you have identified an outgoing TCP connection to port 443 as being for Office365, it is too late to re-route it to another outgoing line.
The only thing you can do is have address lists for Microsoft servers known to be used for Office365. And that is dynamic data that has to be updated.

noradtux · Fri Jan 27, 2023 5:38 pm

That is not something a generic router can do. You need to buy a special box that has a maintenance contract to provide you with the dynamic information required for that.
:) And yet most of ASRs & ISRs of the biggest router vendor support it... search for "SD-WAN Application Intelligence Engine"
Sincere apologies! I swear this is my last OT message in this thread!

And most of these devices are a _LOT_ more expensive than even the CCR2216.

Larsa · Fri Jan 27, 2023 6:22 pm

.. search for "SD-WAN Application Intelligence Engine"
And most of these devices are a _LOT_ more expensive than even the CCR2216.

Application awareness like Cisco's Application Intelligence Engine and similar solutions are pure MBS based on some marketing directors wet dream long way back in time when they came up with the acronym NGFW. They all depend on DPI and similar obsolete techniques that will soon be totally useless for obvious reasons.

TheNetworkBerg · Sat Jan 28, 2023 1:47 pm

@mrz

Can you guys please update your docs regarding MP-BGP? I still cannot get VPNv4 to work with either 7.7 or 7.8beta2, I can learn the routes from the route reflector, however traffic does not effectively flow. Either I am making some configuration mistake, or this still does not work.

Thanks in advance.

EgidijusL · Sat Jan 28, 2023 2:09 pm

Hap ax3. Wifi 5Ghz speed same shit from v7.7...

Sat Jan 28, 2023 2:45 pm

Hap ax3. Wifi 5Ghz speed same shit from v7.7...

What shit ? Please be more specific or nobody will be able to know what you mean.
I have mine since yesterday, upgraded to 7.8beta and I can easily get around 600mbs with Galaxy S20 (which I think is pretty decent).
On ac3 with wave2 it was low 500.

clambert · Sat Jan 28, 2023 2:46 pm

@mrz

Can you guys please update your docs regarding MP-BGP? I still cannot get VPNv4 to work with either 7.7 or 7.8beta2, I can learn the routes from the route reflector, however traffic does not effectively flow. Either I am making some configuration mistake, or this still does not work.

Thanks in advance.

I had to explicitly disable fastpath for VPNv4 to work.

JoaoS · Sat Jan 28, 2023 5:31 pm

I would like to leave my two cents, in defense of Mikrotik:

Keeping these discussions on topic, obfuscates developers to keep track of what is really needed. Making a complaint I think is valid and positive, but holding a discussion is not. Preferable to call for a new topic and the most interesting for MT to listen too.

SDWAN, IDPS , NGFW or things like that. I don't see MT as a business rule. We shouldn't have any kind of hope.

Now a little disappointment:

Routing is MT's business and the main focus should be on improving and delivering new functions, with their fastest possible fixes. As much as I like new functions, like ROSE, Containers, Wireguard... It gives me the feeling that the MT is not keeping the focus. As the resolution and improvement of:
BFD fixed
BGP-VPNv4-VRF RR fixed
EVPN
MPLS Fast Reroute
BGP Multipath
L3HW off loading that is compatible with MLAG and VRRP
L3HW off loading for VXLAN
L3HW off loading for QinQ
OSPF improvements
IPsec Virtual Tunnel Interface

I think that such requirements already satisfies almost all of the public, as it opens up potential possibilities for us.

Improvement of the wireless network, I also support it, I see it as a business rule for you too, but secondary. I see such more enterprise features like:
band steering,
roaming,
wireless bridging for wifiwave2,

jbl42 · Sat Jan 28, 2023 11:07 pm

jbl42 · Sat Jan 28, 2023 11:08 pm

To add something more constructive to all the complaints:
I'm happy with the state of ROS 7.x on RB5009. For heavy SOHO and small branch applications, they work reliable with not much complaints except some SFP+ module issues solvable by using other SFPs. Also Docker is appreciated to run services like pi-hole, VoIP/SIP proxies or small local syslog servers. Same for Wireguard.

But CRS2x16 boxes mainly make sense for large/full table routing with 40/100Gbit. For such applications L3HW and BFD/OSPF issues are dealbreakers and having containers, Wireguard and ROSE does not compensate for anything.

Covering everything from hAP to CRS2x16 with one ROS seems to be a far stretch.
This is why I feel it might be worth to considering splitting up ROS into different versions for SOHO/CEP and large scale routers with different feature priorities.

theprojectgroup · Sun Jan 29, 2023 12:14 am

hAP ax3 wifi is very slow and unstable (but it's also on stable ROS):
viewtopic.php?p=980696&hilit=hap+ax3#p980696
Looks like it's bridge related. When routing and natting, throughput is stable in both directions.

Sun Jan 29, 2023 12:39 am

hAP ax3 wifi is very slow and unstable (but it's also on stable ROS):

No, it's not.

theprojectgroup · Sun Jan 29, 2023 2:54 am

No, it's not.

I am very sorry, but it is.
hAP ax2 & 3 have major stability and performance issues since their release for at least a few people.

But I am very glad you seem to be not affected .

loloski · Sun Jan 29, 2023 3:12 am

To add something on what needs to be improved IPV6 fasttrack is a must and should be at least with significant priority and VPDN (LAC) for serious consideration

what are the odds in the next beta code drop the elusive BFD feature is in? :)

Sun Jan 29, 2023 5:15 am

@mrz

Can you guys please update your docs regarding MP-BGP? I still cannot get VPNv4 to work with either 7.7 or 7.8beta2, I can learn the routes from the route reflector, however traffic does not effectively flow. Either I am making some configuration mistake, or this still does not work.

Thanks in advance.

Do VPLS tunnels work in your configuration?

This may seem like a stupid question, but I'm just trying to work backward with you. There are a few non-obvious changes to MPLS in v7 and if VPLS is not working it will help to pinpoint the problem

nichky · Sun Jan 29, 2023 6:55 am

also, we need static VPLS name , when we running them over BGP

Sun Jan 29, 2023 8:44 am

No, it's not.
I am very sorry, but it is.
hAP ax2 & 3 have major stability and performance issues since their release for at least a few people.

For one, it doesn't help if you generalize.
The forum would be swamped with problem reports if this was the case.
Secondly, start a separate thread with full exported config and as much surrounding detail as possible. Unless i missed it, i have not seen that yet in your other thread.
Also create a support ticket with supout of your device when the issue occurs.

mada3k · Sun Jan 29, 2023 2:59 pm

...

Well made points.

The market is already flooded with SDWAN, IDS, NGFW stuff, and it's probably very hard to gain any foot there because those who want's this are willing to pay for it.

But RouterOS is the only alternative I know besides the "giants" that does advanced BGP, BGP-VPNv4, MPLS, VPLS, L3HW etc. And it some extent managed Wifi-solutions (the alternative is UniFi). This with efficent/affordable hardware is their strongest place.

Covering everything from hAP to CRS2x16 with one ROS seems to be a far stretch.
This is why I feel it might be worth to considering splitting up ROS into different versions for SOHO/CEP and large scale routers with different feature priorities.

Yes and no. We run IOS-XE on both ISR 1000 boxes and our 25/100G Catalyst. But the software image is about 800MB. Not the "within 16MB" principle that RouterOS has.

pe1chl · Sun Jan 29, 2023 3:08 pm

Note that MikroTik in fact is moving in the opposite direction. In v6 there still were separate packages for things like wireless, hotspot, capsman, mpls, bgp, etc.
In v7 all is put together in a single right-for-everyone package. So instead of differentiation we have movement towards a single version.
I can understand how that desire occurred, because there were more and more packages with cross dependencies and the installer could not deal with that.
I would have no problem with a system package that includes what was in e.g. dhcp, ppp, security, ipv6 and advanced-tools because those were all mutually dependent and/or the situation where one was not installed made operation of the other more complicated.
But I really do not understand why we are all forced to have stuff like wireless, hotspot, capsman, mpls and bgp on each and every device.

sirbryan · Sun Jan 29, 2023 3:16 pm

For those wondering where MikroTik is going with all of this, especially CCR2000 and beyond...

From Cisco: https://www.cisco.com/c/en/us/products/ ... 42415.html (emphasis mine)

Cisco IOS XE 16.12.1 introduces native Docker container support on certain models of Catalyst 9000 switches. This enables users to build and bring their own applications without additional packaging. Developers don’t have to reinvent the wheel by rewriting the applications every time there is an infrastructure change. Once packaged within Docker, the applications will work within any infrastructure that supports docker containers...

From Arista: https://www.arista.com/en/products/eos/ ... ogrammable

EOS offers the ability to write scripts and load applications directly onto the Linux operating system and to run these applications as guest VMs. Features of EOS extensibility include:

Installation without modification of third-party software for Linux

Scripting and Linux shell-level access for automation

Programmable at all layers: Linux kernel, hardware forwarding tables, switch configuration and CLI, switch control plane as well as management layer

Support for running Docker containers directly on the switch

I applaud and welcome the fact that we also get it on the little ARM/ARM64 boxes. In the coming months, out of the hundreds of RouterOS devices I have installed in the field, more will be using newer features like Wireguard/ZeroTier and simple containers than MPLS/BGP/OSPF/etc.

benkreuter · Sun Jan 29, 2023 5:36 pm

For those wondering where MikroTik is going with all of this, especially CCR2000 and beyond...

From Cisco: https://www.cisco.com/c/en/us/products/ ... 42415.html (emphasis mine)

You know what else also those Cisco/etc. routers can do? OSPF, BGP, BFD, and other basic routing protocols that we rightly expect a router to support. I do not doubt that there are legitimate use-cases for containers, but it remains secondary to core routing features -- especially on machines with support for L3 offloading and other routing/switching specific hardware features.

benkreuter · Sun Jan 29, 2023 5:42 pm

also, we need static VPLS name , when we running them over BGP

That is not necessarily the right thing, BGP signalled VPLS tunnels are created dynamically and there may be a lot of them in any given bridge. It is not clear to me how static names would even work in that case.

What would really help is the ability to specify a VLAN for BGP-signalled VPLS. The need is somewhat niche, but I have found myself resorting to all kinds of brittle workarounds when it has come up.

mada3k · Sun Jan 29, 2023 5:59 pm

From Cisco: https://www.cisco.com/c/en/us/products/ ... 42415.html (emphasis mine)

I applaud and welcome the fact that we also get it on the little ARM/ARM64 boxes. In the coming months, out of the hundreds of RouterOS devices I have installed in the field, more will be using newer features like Wireguard/ZeroTier and simple containers than MPLS/BGP/OSPF/etc.

I know, we have those at work. But using $9,000 switches for hosting containers is insane when you have a working VMware envoriment. The price difference GB/CPU per $ is astronomical. It only makes sense for a branch/edge site that needs a on-site agent of some kind (security, proxy, monitoring, authentication, etc.)

jbl42 · Mon Jan 30, 2023 1:20 am

Beside running services, I can also see value in Docker for testing and debugging: Temporary starting up a minimal Debian or Ubuntu image on a remote router to run tools like flent, cacti or nagios from the router's remote point of view could come in handy.

EgidijusL · Mon Jan 30, 2023 1:39 am

hAP ax3 wifi is very slow and unstable (but it's also on stable ROS):
No, it's not.

Yes, with v7.7 and v7.8 speed slow... downgrade to v7.6 and OK.

EgidijusL · Mon Jan 30, 2023 1:49 am

Hap ax3. Wifi 5Ghz speed same shit from v7.7...
What shit ? Please be more specific or nobody will be able to know what you mean.
I have mine since yesterday, upgraded to 7.8beta and I can easily get around 600mbs with Galaxy S20 (which I think is pretty decent).
On ac3 with wave2 it was low 500.

With v7.6 5Ghz speed ~800Mbs, with v7.7 speed ~400Mbs using Iphone 12 pro max

Mon Jan 30, 2023 6:19 am

As replied on other thread:
went over 7.6, 7.7, 7.8beta using Samsung S20: all give for me the same figures on my devices (obviously with some variation when doing multiple test runs but everything falls consistently in the same fork).
Nothing special on that device (just unboxed it, wanted to toy first with AX before moving one of the home AC3's to this one).

Jotne · Mon Jan 30, 2023 7:52 am

With v7.6 5Ghz speed ~800Mbs, with v7.7 speed ~400Mbs using Iphone 12 pro max

Where is your config and what hardware are your running on..

spippan · Mon Jan 30, 2023 8:38 am

With v7.6 5Ghz speed ~800Mbs, with v7.7 speed ~400Mbs using Iphone 12 pro max
Where is your config and what hardware are your running on..

hAP ax3

kosyot · Mon Jan 30, 2023 10:46 am

BGP - one step ahead, two back..

fixed cli command (not @winbox)

/ip/route/print count-only  where

not always show 0

but..
belongs-to= where cause gone ?

how to print routes received by specific BGP peer ? (immediate-gw is not a option)

pe1chl · Mon Jan 30, 2023 11:30 am

belongs-to works fine for me! you should not use /ip/route/print but rather /routing/route/print.

Jotne · Mon Jan 30, 2023 12:26 pm

The mix of location has given me headache several times.
Example:
Cli /user
Gui System->Users

Cli /interface/bridge
Gui Bridge

Cli /routing/route
Gui ip -> Routes

It may have been done to get to it more quickly?
Name should be equal and same with path.

eworm · Mon Jan 30, 2023 12:28 pm

Cli /routing/route
Gui ip -> Routes

This is not the same! There is

/ip/route/

and

/routing/route/

!

clambert · Mon Jan 30, 2023 12:50 pm

What would really help is the ability to specify a VLAN for BGP-signalled VPLS. The need is somewhat niche, but I have found myself resorting to all kinds of brittle workarounds when it has come up.

The ability to define a VLAN for dynamically created interfaces using VPLS within a bridge would be very useful for our implementations.

xh116 · Mon Jan 30, 2023 5:31 pm

Since updating to 7.8beta2 I'm having issues importing remote container image zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest on my RB5009 (arm64). It was working fine on 7.7rc5.

 16:43:05 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0-latest
 16:43:05 system,info item added by cesar
 16:43:07 container,info,debug error response getting manifests: 404
 16:43:07 container,info,debug was unable to import, container 4a07240c-862b-4861-a16a-68605478ad54

After changing to zabbix/zabbix-proxy-sqlite3:alpine-6.0.12 it works fine again:

 16:45:28 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0.12
 16:45:28 system,info item added by cesar
 16:45:31 container,info,debug getting layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4
 16:45:32 container,info,debug layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4 downloaded
 16:45:32 container,info,debug getting layer sha256:2068be5b412156c5bc2936aeb988446cb6ac458c4c408ac51b5143e9632073f0
 16:45:33 container,info,debug layer sha256:2068be5b412156c5bc2936aeb988446cb6ac458c4c408ac51b5143e9632073f0 downloaded
 16:45:33 container,info,debug getting layer sha256:35af6ce2b615d78f6617ef90fdbb0aef91a77c766594c28325a8e9e589d0e002
 16:45:33 container,info,debug layer sha256:35af6ce2b615d78f6617ef90fdbb0aef91a77c766594c28325a8e9e589d0e002 downloaded
 16:45:33 container,info,debug getting layer sha256:7becd6903f60f84a63358dbfbf033e34094e07d255085fe0d9a2fe48481e74b6
 16:45:34 container,info,debug layer sha256:7becd6903f60f84a63358dbfbf033e34094e07d255085fe0d9a2fe48481e74b6 downloaded
 16:45:34 container,info,debug getting layer sha256:21bb24f368b7ae4b135a1ef432a6379a54310c37e8a7b8d54d0260d7cd768f9d
 16:45:35 container,info,debug layer sha256:21bb24f368b7ae4b135a1ef432a6379a54310c37e8a7b8d54d0260d7cd768f9d downloaded
 16:45:35 container,info,debug getting layer sha256:9e1e869413aec50921ae70ba3b2098e56ab598bb6a26d2b0d5c697f7c433cb00
 16:45:37 container,info,debug layer sha256:9e1e869413aec50921ae70ba3b2098e56ab598bb6a26d2b0d5c697f7c433cb00 downloaded
 16:45:38 container,info,debug getting layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
 16:45:38 container,info,debug layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 downloaded
 16:45:38 container,info,debug getting layer sha256:e4034d2118985bc524c23df0d8c998c604ee97aef464494c39111bf32ebd9335
 16:45:39 container,info,debug layer sha256:e4034d2118985bc524c23df0d8c998c604ee97aef464494c39111bf32ebd9335 downloaded
 16:45:39 container,info,debug import successful, container c3a27c76-186a-47bf-ace4-04fcff0790fd

zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest was updated a few hours ago. Maybe something is wrong on Docker Hub? Or is it a bug in 7.8beta2?

I have the same problem with my own build, all newly pushed to docker hub are the same error. if you pull from other linux os and upload to routeros, it works.

CTassisF · Mon Jan 30, 2023 5:41 pm

I have the same problem with my own build, all newly pushed to docker hub are the same error. if you pull from other linux os and upload to routeros, it works.

Same behavior here: not working on RouterOS, but on macOS with Docker it works fine.

I've opened a ticket (SUP-105409) but it was closed by MikroTik as "not our bug".

I also reported this to the maintainers of Zabbix images on Docker Hub (https://github.com/zabbix/zabbix-docker/issues/1049) and they said to wait next release. I'm waiting to see if they will be able to fix this.

mkx · Mon Jan 30, 2023 7:31 pm

I've opened a ticket (SUP-105409) but it was closed by MikroTik as "not our bug".

No wonder with error message

16:43:07 container,info,debug error response getting manifests: 404

which indicates http error 404 (not found). That's a problem on remote side (github) and if things worked previously it may mean some necessary platform-specific files are missing.

kosyot · Mon Jan 30, 2023 9:04 pm

belongs-to works fine for me! you should not use /ip/route/print but rather /routing/route/print.

my mistake :(

pe1chl · Wed Feb 01, 2023 10:56 am

It would be great if OVPN would get static key support soon. Can you please tell me what's the problem implementing this?

Well, the "official" OpenVPN version 2.6.0 just released has dropped the support for static key, so that would be one possible reason for not bothering with it anymore...

dadaniel · Wed Feb 01, 2023 2:20 pm

Well, the "official" OpenVPN version 2.6.0 just released has dropped the support for static key, so that would be one possible reason for not bothering with it anymore...

Yes, but they write: static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using --peer-fingerprint makes TLS mode about as easy as using --secret.”

But Mikrotik does not support TLS authentication at all...
https://help.mikrotik.com/docs/display/ROS/OpenVPN (Limitations)

troffasky · Wed Feb 01, 2023 3:05 pm

MT will never play any role in any SDWAN unless the boxes can understand & detect (many) application and steer accordingly.

Ask three network engineers what "SDWAN" is and you will get at least three different answers.

troffasky · Wed Feb 01, 2023 3:07 pm

While I agree with many of the flaws, point #3 is generally referred to as SDWAN and is implemented in RoS using ZeroTier.

Sure, so long as you're using ARM. Three times now we have deployed Zerotier for a customer and *not* used CHR for the soft-router element because it doesn't support Zerotier.

own3r1138 · Wed Feb 01, 2023 3:52 pm

Is it just me? Do others also experiencing the same? I didn't see any issue on ARM devices. The screenshot is from a CHR.

2023-02-01_17-18-18.jpg

update
The certificate CRL download doesn't work when only the DOH is used.

/ip dns
use-doh-server=https://dns-record.domain.tdl/dns-query verify-doh-cert=yes
/ip dns static
add address=public-ip name=dns-record.domain.tdl

eworm · Wed Feb 01, 2023 3:55 pm

That is the distribution point for Let's Encrypt R3 certificate revocation list.

Open your browser, point it to a website secured by Let's encrypt and see the certificate details...

pe1chl · Wed Feb 01, 2023 4:08 pm

If deploying a PKI CA is considered "too complicated", using --peer-fingerprint makes TLS mode about as easy as using --secret.”

But Mikrotik does not support TLS authentication at all...
https://help.mikrotik.com/docs/display/ROS/OpenVPN (Limitations)

When you want a simple no-certificate-hassle VPN, MikroTik offers more than enough alternatives: IPsec, SSTP, Wireguard, ...
When it is about VPN support, there is always somebody who asks for an option (or an entire protocol) that isn't supported...

dadaniel · Wed Feb 01, 2023 5:06 pm

When you want a simple no-certificate-hassle VPN, MikroTik offers more than enough alternatives: IPsec, SSTP, Wireguard, ...
When it is about VPN support, there is always somebody who asks for an option (or an entire protocol) that isn't supported...

It's all about money: Our software solution provider says OpenVPN connection is free, IPsec connection is 410 Euro one-time-fee and 25 EUR monthly fee.
Sometimes you can't control both VPN endpoints....

Wed Feb 01, 2023 7:36 pm

Wireguard is free.
Faster then openvpn too.

pe1chl · Wed Feb 01, 2023 8:01 pm

It's all about money: Our software solution provider says OpenVPN connection is free

"Solution provider" that offers OpenVPN only with static keys? That is pretty sad... they will not be happy finding that they need to point their users to obsolete software from now on, I guess...
In this sense I am a "solution provider" myself and my OpenVPN server (which is not running on RouterOS but plain Linux) works with the standard easy-rsa certificate system.
I don't know if RouterOS can connect to it by now, it used to be not possible because it uses UDP only, and users with MikroTik routers get L2TP/IPsec or GRE tunnels instead.

leonardogyn · Wed Feb 01, 2023 9:38 pm

.....
I don't know if RouterOS can connect to it by now, it used to be not possible because it uses UDP only, and users with MikroTik routers get L2TP/IPsec or GRE tunnels instead.

.
RouterOS version 7 is now capable of using UDP OpenVPN connections. There are still some limitations, as it seems to use a proprietary implementation of OpenVPN. But it can do TCP and also UDP on RoSv7. RoSv6 is really limited to TCP connections only.

pe1chl · Wed Feb 01, 2023 9:43 pm

RouterOS version 7 is now capable of using UDP OpenVPN connections. There are still some limitations, as it seems to use a proprietary implementation of OpenVPN.

I know that... there are many config parameters and also features that could make it fail. Compression, push of routes and other parameters, etc.
That is why I mention I did not test it. There probably will be some reason why it fails.

shaw627 · Wed Feb 01, 2023 10:41 pm

Not specific to 7.8b2, but seems to affect it. Starting from v7.7, it seems the dns resolver has a memory leak that eats up all the Mikrotik memory until the RouterOS crash and reboots. Not all are affected, but all affected confirmed to be providing DNS services for client devices.

If you're running 7.8 and providing DNS services for your connected networks, watch out for your box memory usage! This is really bad specially for the low-memory spec models, but seems to affect a variety of different models. Those with more RAM will just take longer to crash and (luckly) reboot.

viewtopic.php?t=192427#p979415

me2, dns cache can't be freed though I flush dns cache since v7.7 stable. (tested on hap ac2 and RB4011)

mducharme · Thu Feb 02, 2023 12:18 am

*) route - fixed IPv6 default route presence when received from RA;

This does not seem to be working - I do not see this route either in the Winbox GUI or the CLI.

pe1chl · Thu Feb 02, 2023 11:03 am

*) route - fixed IPv6 default route presence when received from RA;
This does not seem to be working - I do not see this route either in the Winbox GUI or the CLI.

It works for me... maybe there is some other factor in your setup that influences it.

depth0cert · Thu Feb 02, 2023 11:10 am

*) certificate - improved certificate management, signing and storing processes;

SUP-105306
This does not seem to be working - I have error "ipsec,error can't get private key".
I attached the command-history.txt and supout.rif files from 7.7 where everything works and from 7.8beta2 where it does not work.

snowzach · Thu Feb 02, 2023 10:16 pm

I've opened a ticket (SUP-105409) but it was closed by MikroTik as "not our bug".

No wonder with error message

16:43:07 container,info,debug error response getting manifests: 404
which indicates http error 404 (not found). That's a problem on remote side (github) and if things worked previously it may mean some necessary platform-specific files are missing.

Yeah, I figured out what the issue was.. I tried to build my own docker image and I couldn't get anything but 404 when I tried to pull the image to the Mikrotik. The issue is that the new Docker buildx uploads images in this OCI format. You'll also find that if you do `docker inspect <image name>` it will say the image isn't found because the inspect command also does not support this format. (funny right?) It's related to this issue: https://github.com/moby/moby/issues/43126 You can fix your own images by following this: https://github.com/docker/buildx/issues ... 1378538197

As for vendor images, you'll need to pull them, save them as a tar and upload them to the Mikrotik to get them to work.

Mikrotik will need to update their docker daemon to support this new manifest format. I opened a ticket and provided them the information.