Great news!*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
Finally Playstation Network work?*) dns - respond with lowest TTL for inner queries containing A, AAAA, CNAME chains;
defaults does not change. This is optional and needs to be enabled:Great news!*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
But this means we will not see the default behavior to change on devices that did not use a RAM file system till now? So to have consistent behavior (and paths in scripts) on all devices I create a disk of type "tmpfs" with slot "tmpfs" and store my volatile data in "/tmpfs/...".
5 years later, but congrats! and thank you!*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
Seem to work in limited testing. I'm okay with their approach: if a script needs a RAMdisk, it can just create one now. Although the idea that the root always a RAMdisk on all devices be more convenient for sure. But I guess this does allow some flexibility and control the max sizes, and set a fixed name for the path (slot=).Not see the default behavior to change on devices that did not use a RAM file system till now? So to have consistent behavior (and paths in scripts) on all devices I create a disk of type "tmpfs" with slot "tmpfs" and store my volatile data in "/tmpfs/...".*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
/disk/add partition-size=800M tmpfs-max-size=800M type=tmpfs slot=myramdisk
*) mpls - fixed assigning of explicit null label for IPv6;
I guess your device has anything up to 1GB of RAM. Without giving "tmp-max-size" you have half of your RAM for the disk.I did find that if it's a large file from say /tool/fetch, seems you have to set "tmp-max-size" to control the max file size as I got on "out of space" error when I tried a 700M file without it. But it was willing to fill memory with the file, winbox let you download it, and when you delete it memory, the memory is freed was expected (at least according to /system/resouces)
/interface/wifiwave2/info country-info
RouterOS version 7.7rc1 has been released "v7 testing" channel!
What are you trying to do there? Try print before using set. And don't use set numbers, that is used after print, and should be used with number, not name
Indeed, finally! Thanks a lot, it would have been very useful on our CCRs (in v6) which have later been replaced by CHR so now it doesn't matter anymore...5 years later, but congrats! and thank you!*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
Disks now have slot, as their name. This will be included in Winbox in future releases.I can't set or get the disk name on my hap ac3.
Disks now have slot, as their name. This will be included in Winbox in future releases.
/disk set 0 slot=...
[admin@MikroTik] > export # jan/02/1970 00:28:35 by RouterOS 7.7rc1 # software id = 05P4-9A42 # # model = RB922UAGS-5HPacD # serial number = 724606255106 /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /system routerboard settings set init-delay=2s reformat-hold-button-max=2m /system script add dont-require-permissions=no name=hello-word owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=":global helloWorld;\r\n:set helloWorld do={:put \"Hello World.\";}" [admin@MikroTik] >Running the script (no matter if on terminal or on winbox) the run script count increase by 1 and /system script environment report the right value.
Been waiting for this as well, so many testing releases, with no fix on the VPNV4Any plans for fix broken VPN4 bgp reflection ?
Similarly, BGP-signaled VPLS with route reflection still not working. Really hinders our ability to deploy v7. :/Been waiting for this as well, so many testing releases, with no fix on the VPNV4Any plans for fix broken VPN4 bgp reflection ?
Any plans for fix broken VPN4 bgp reflection ?
Similarly, BGP-signaled VPLS with route reflection still not working. Really hinders our ability to deploy v7. :/
Been waiting for this as well, so many testing releases, with no fix on the VPNV4
Thanks for that. I too have infrequently seen this "forgotten global" problem. I generally attributed to maybe the router got rebooted etc etc, so just reloaded the script functions that I thought should have been there already... Still have a few MIPSBE RB953s in field, and that's exactly where it seems to happen now that I think about.
What is the LAN_SDS mode on the GPON SFP?RB5009 2.5G SFP module support introduced in 7.7beta8 no longer appears to be working. It was working in 7.7beta8 & 7.7beta9. My ISP uses a GPON module that can link at 2.5G. With 7.7beta8 and 7.7beta9, I was able to get my full download bandwidth of ~1280Mbps by plugging the GPON directly into the SFP+ port on my RB5009. With 7.7rc1, it's down to gigabit download speeds using the same hardware configuration.
I've also tried using a 2.5GBase-T SFP module that worked correctly under 7.7beta8 & 7.7beta9, same thing. Speeds are reduced to gigabit despite routeros reporting a 2.5Gbps link.
(edit)
CPU usage with my hardware config is approximately doubled when doing NAT, compared to the previous betas.
I did. As said... Can not reproduce.Just try yourself... ;)
I hope you believe me, I'm not the only user notice that and also because I indicated exactly the hardware used and how the device is configured...Running the script (no matter if on terminal or on winbox) the run script count increase by 1 and /system script environment report the right value.
But after some minutes and after terminal or winbox is closed, the run script count return to 0 and the environment is cleaned.
This issue brings in problem in starting containers. All I need are to re create and do some minor configurationsDisks now have slot, as their name. This will be included in Winbox in future releases.I can't set or get the disk name on my hap ac3.
/disk set 0 slot=...
@daaf
THE BUG STILL EXIST, BUT (for me) HAPPEN ONLY ON MIPSBE!!! (Winbox 3.37 64 bit)
I am not able to reply it on RB5009 arm64
viewtopic.php?p=944654#p944663
it was :(Spero che non era in produzione...
[I hope it wasn't in production...]
Firewall filter? or route filters?the 7,7rc1 in our case (more then 5M routes) freezes when modify a filter rule.
route filter rule, sorryFirewall filter? or route filters?the 7,7rc1 in our case (more then 5M routes) freezes when modify a filter rule.
Thanks, we repeated the issueCurrently I have done the test on a hAP ac3 (arm) and the same thing happens, the global variables disappear from the environment after a few minutes of closing the winbox.
What seems to be the issue?With wifiwave2/capsman has anyone had any success with WPA(1/2/3) enabled?
Oh, this is great!!!!Thanks, we repeated the issue[...] the global variables disappear from the environment after a few minutes of closing the winbox [...]
Please elaborate.This issue brings in problem in starting containers. All I need are to re create and do some minor configurations
Works OK for me, no change relative to earlier versions. Do you keep the IPv4 connectivity or is the local IP address assigned via PPPoE also lost?7.7rc1 lost Dynamic Servers from pppoe-client, when pppoe-client up 1 hours. maybe dns crash. please check SUP-100985
No, i using VPN4 ie l3 vpn (VPRN). inside vrf ROS 7 transmit self nexthop instead of mpls hop. Ie ROS7 just ignore option propagateAny plans for fix broken VPN4 bgp reflection ?
Are you experiencing issues with a Routeros v7 Route Reflector? I am testing against a Cisco Route Reflector, and it seems to work properly.
maybe you need dns-forward domain many times, it will crash the dns, then it will be empty, pppoe-client still online. alreay have the video and submit to the ticketWorks OK for me, no change relative to earlier versions. Do you keep the IPv4 connectivity or is the local IP address assigned via PPPoE also lost?7.7rc1 lost Dynamic Servers from pppoe-client, when pppoe-client up 1 hours. maybe dns crash. please check SUP-100985
Hap ax2 (US/North American version) "failed to set country" on this release, wifi radios down. This happens with any Canada or United States selection, or undefining the variable all together.
RouterOS 7.6:
[admin@Greenroom AP] /interface/wifiwave2/radio> print detail
Flags: L - local
0 L radio-mac=**:**:**:**:**:** phy-id=0 tx-chains=0,1 rx-chains=0,1
bands=5ghz-a:20mhz,5ghz-n:20mhz,20/40mhz,5ghz-ac:20mhz,20/40mhz,20/40/80mhz,5ghz-ax:20mhz,
20/40mhz,20/40/80mhz
ciphers=tkip,ccmp,gcmp,ccmp-256,gcmp-256,cmac,gmac,cmac-256,gmac-256
countries=United States3,Canada2
5g-channels=5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560,5580,5600,5620,5640,5660,
5680,5700,5720,5745,5765,5785,5805,5825
1 L radio-mac=**:**:**:**:**:** phy-id=1 tx-chains=0,1 rx-chains=0,1
bands=2ghz-g:20mhz,2ghz-n:20mhz,20/40mhz,2ghz-ax:20mhz,20/40mhz
ciphers=tkip,ccmp,gcmp,ccmp-256,gcmp-256,cmac,gmac,cmac-256,gmac-256
countries=United States3,Canada2
2g-channels=2412,2417,2422,2427,2432,2437,2442,2447,2452,2457,2462,2467,2472
[admin@Greenroom AP] /interface/wifiwave2/radio> /interface/wifiwave2/info/ country-info "United States
3"
2.4ghz: 2412 MHz 20/40mhz 30 dBm
2417 MHz 20/40mhz 30 dBm
2422 MHz 20/40mhz 30 dBm
2427 MHz 20/40mhz 30 dBm
2432 MHz 20/40mhz 30 dBm
2437 MHz 20/40mhz 30 dBm
2442 MHz 20/40mhz 30 dBm
2447 MHz 20/40mhz 30 dBm
2452 MHz 20/40mhz 30 dBm
2457 MHz 20/40mhz 30 dBm
2462 MHz 20/40mhz 30 dBm
2467 MHz 20/40mhz 30 dBm
5ghz: 5180 MHz 20/40/80mhz 30 dBm
5200 MHz 20/40/80mhz 30 dBm
5220 MHz 20/40/80mhz 30 dBm
5240 MHz 20/40/80mhz 30 dBm
5745 MHz 20/40/80mhz 30 dBm
5765 MHz 20/40/80mhz 30 dBm
[admin@Greenroom AP] /interface/wifiwave2/radio>
7.7rc1
[admin@Greenroom AP] > /interface/wifiwave2/radio/ print detail
Flags: L - local
0 L radio-mac=**:**:**:**:**:** phy-id=0 tx-chains=0,1 rx-chains=0,1
bands=5ghz-a:20mhz,5ghz-n:20mhz,20/40mhz,5ghz-ac:20mhz,20/40mhz,20/40/80mhz,5ghz-ax:20mhz,20/40mhz,20/40/80mhz
ciphers=tkip,ccmp,gcmp,ccmp-256,gcmp-256,cmac,gmac,cmac-256,gmac-256 countries=United States3,Canada2
5g-channels=5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560,5580,5600,5620,5640,5660,5680,5700,5720,5745,
5765,5785,5805,5825
max-vlans=128 max-interfaces=16 max-station-interfaces=3 max-peers=120 interface=Schnell-5GHz
1 L radio-mac=**:**:**:**:**:** phy-id=1 tx-chains=0,1 rx-chains=0,1
bands=2ghz-g:20mhz,2ghz-n:20mhz,20/40mhz,2ghz-ax:20mhz,20/40mhz
ciphers=tkip,ccmp,gcmp,ccmp-256,gcmp-256,cmac,gmac,cmac-256,gmac-256 countries=United States3,Canada2
2g-channels=2412,2417,2422,2427,2432,2437,2442,2447,2452,2457,2462 max-vlans=128 max-interfaces=16
max-station-interfaces=3 max-peers=120 interface=Schnell-2.4GHz
[admin@Greenroom AP] > /interface/wifiwave2/info/ country-info "United States3"
syntax error (line 1 column 26)
[admin@Greenroom AP] >
Any information on how to use this ?*) tunnels - added VRF support for EoIP, IPIP and GRE tunnels;
Such a major blocking issue, it is a shameIncredible that the forgotten space in the message "route,bgp,error HoldTimer expiredpeername" (between expired and peername) still hasn't been fixed...
It would be better when BFD was made available, but in the meantime these errors do occur.Such a major blocking issue, it is a shame
They keep ignoring the bugs and pretend nothing happen.Such a major blocking issue, it is a shameIncredible that the forgotten space in the message "route,bgp,error HoldTimer expiredpeername" (between expired and peername) still hasn't been fixed...
don't get me wrong, i love mikrotik for what they achieve with their devices and rOS, but it is such a shame/pity BGP, one of THE routing protocols, gets orphaned in v7 :(
They keep ignoring the bugs and pretend nothing happen.
people waiting for years to be fixed.
I wonder why they creating CCR for?
thx
Yesterday I tried again and it worked. Router got a LE cert.It is now working well :D
*) certificate - improved Let's Encrypt logging and error recovery;
Error creating new order :: too many certificates already issued for "mynetname.net"
Before this update I got only: error [err]
Mikrotik should talk with Letsencrypt...
or update the manual, not use with cloud domain name... :)
Reported on ticket SUP-100760. In less than a week resolved. Thanks mikrotik!*) ipsec - improved IKE payload processing;
Sorry I meant stable version
There is need to joke anymore about the terrible v7 release schedule...Dont be so serious...I was just joking.... :) when we have already RC2 I belieave there will be a present from Mikrotik for christmas :)
BGP cosmetic progress onlystill no progress on VPNV4 and BFD :-(
did you fix or reproduced the issue about routing filter rule that freeze the arm64 platform when there are a lot of rutes (~5M).What's new in 7.7rc2 (2022-Dec-16 20:23):
*) bgp - properly set "bgp-ext-communities" from "communities" list;
*) dns - fixed handling of FWD entries where "forward-to" is a hostname;
*) dns - improved service stability when CNAME points to a FWD entry;
*) hotspot - improved limitation of maximum allowed connections;
*) ipsec - improved IKE payload processing;
*) snmp - improved stability when receiving bogus packets;
*) wifiwave2 - improved compliance with regulatory domain information;
Did some more digging into 7.7rc1 and the radio issues on the hAP ax2. Seems it is missing the countries configuration in the radio after updating, I suspect this means it won't accept any country.
$ ssh router /ip/dns/static/export | grep youtube
add cname=www.youtube.com name=youtube type=CNAME
$ dig youtube @router
; <<>> DiG 9.18.9 <<>> youtube @router
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63586
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;youtube. IN A
;; Query time: 1 msec
;; SERVER: 192.168.0.1#53(router) (UDP)
;; WHEN: Mon Dec 19 12:24:33 PST 2022
;; MSG SIZE rcvd: 25
$ dig youtube cname @router
; <<>> DiG 9.18.9 <<>> youtube cname @router
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65395
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;youtube. IN CNAME
;; ANSWER SECTION:
youtube. 86400 IN CNAME www.youtube.com.
;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(router) (UDP)
;; WHEN: Mon Dec 19 12:26:16 PST 2022
;; MSG SIZE rcvd: 54
$ ping youtube
ping: Unknown host
$ ping youtube.
ping: Unknown host
>don't like society? make your own!if you are unhappy you can buy diffrent brand :) hihi
Please, some details?*) bgp - fixed connection establishment using link-local addresses;
Thanks!multihop is no longer required for ebgp with link-local addresses
Ok it seems that the issue with BGP peers not being in the same IPv4 subnet in the route table also has been fixed, but maybe it was fixed long ago (I only re-tested it now).multihop is no longer required for ebgp with link-local addresses
Can someone from Mikrotik comment on this? I've complained about this lost functionality since the betas and haven't seen any responses. If you're going to remove a functionality that users depend upon, can you provide an alternative?In v7.6, I could use static dns regex entries to modify AAAA results to ::ffff to block ipv6 for certain hostnames. This doesn't work now--it returns ::ffff and nothing else. How do I get the same behavior in v7.7rc2?
Exactly as I've mentioned, but here's an example in v7.6:chiem - Can you please provide a simple static DNS entry example (from export) that has been broken ni v7.7?
$ dig netflix.com a
; <<>> DiG 9.18.9 <<>> netflix.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29919
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 34 IN A 44.242.60.85
netflix.com. 34 IN A 44.234.232.238
netflix.com. 34 IN A 44.237.234.25
;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Dec 22 20:57:12 PST 2022
;; MSG SIZE rcvd: 77
$ dig netflix.com aaaa
; <<>> DiG 9.18.9 <<>> netflix.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46742
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 5 IN AAAA 2600:1f14:62a:de82:822d:a423:9e4c:da8d
netflix.com. 5 IN AAAA 2600:1f14:62a:de81:b848:82ee:2416:447e
netflix.com. 5 IN AAAA 2600:1f14:62a:de80:69a8:7b12:8e5f:855d
;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Dec 22 20:57:13 PST 2022
;; MSG SIZE rcvd: 113
$ ping netflix.com
PING6(56=40+8+8 bytes) 2001:559:8632:0:e467:b6ff:fec4:4341 --> 2600:1f14:62a:de81:b848:82ee:2416:447e
^C
--- netflix.com ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
$ ssh router /ip/dns/static/export | grep netflix
add address=::ffff regexp="^netflix\\.com\$" type=AAAA
$ dig netflix.com a
; <<>> DiG 9.18.9 <<>> netflix.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26660
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 49 IN A 44.242.60.85
netflix.com. 49 IN A 44.234.232.238
netflix.com. 49 IN A 44.237.234.25
;; Query time: 6 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Dec 22 21:05:28 PST 2022
;; MSG SIZE rcvd: 77
$ dig netflix.com aaaa
; <<>> DiG 9.18.9 <<>> netflix.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31711
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 86400 IN AAAA ::ffff
;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Dec 22 21:05:30 PST 2022
;; MSG SIZE rcvd: 57
$ ping netflix.com
PING netflix.com (44.237.234.25): 56 data bytes
^C
--- netflix.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
That was fixed a long time ago.When BGP was configured on v7 between this address and the address of the remote (a fixed address in the /24) it would not work without multihop. But now it does.
Ok... as I wrote, I now re-tested it because I saw a change item that might be relevant to it. When I first used a v7 beta it was one of the (many) problemsThat was fixed a long time ago.When BGP was configured on v7 between this address and the address of the remote (a fixed address in the /24) it would not work without multihop. But now it does.
What so ironic is, they launch CCR2216 as RouterOS7 only model, as a powerful BGP router, but they don't develop the BGP feature in ROS7 fast enough.Please fix as-override in RouterOS 7 a very important function in larger networks.
https://help.mikrotik.com/docs/display/ ... mplateMenu
We bought this year a lot of CCR2216 that do not support RouterOS 6.49.x.
Without as-override we have the wrong origin in a lot of our routes like private and public ASN's from VRRP routers behind our network.
This leads to wrong RPKI and IRR and also broken routes.
Unless you use DoH:Now once you add an A or AAAA entry, both A and AAAA records are handled by static entries. We will discuss this internally once more and will decide how to proceed.
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
/ip dns static
add name=forum.mikrotik.com address=1.2.3.4 ttl=1m
# dig -t A forum.mikrotik.com @192.168.80.184
...
;; ANSWER SECTION:
forum.mikrotik.com. 60 IN A 1.2.3.4
...
# dig -t AAAA forum.mikrotik.com @192.168.80.184
...
;; ANSWER SECTION:
forum.mikrotik.com. 153 IN AAAA 2a02:610:7501:3000::239
...
/ip dns static add name=<name> type=AAAA no-data=yes
they replied me that as-override will never happen because it break bgp specs.What so ironic is, they launch CCR2216 as RouterOS7 only model, as a powerful BGP router, but they don't develop the BGP feature in ROS7 fast enough.Please fix as-override in RouterOS 7 a very important function in larger networks.
https://help.mikrotik.com/docs/display/ ... mplateMenu
We bought this year a lot of CCR2216 that do not support RouterOS 6.49.x.
Without as-override we have the wrong origin in a lot of our routes like private and public ASN's from VRRP routers behind our network.
This leads to wrong RPKI and IRR and also broken routes.
Most BGP updates are cosmetical update, and the important stuffs on BGP ( such as VPNV4, as-override, etc ), got left behind.
Also not forget to mention BFD, which is widely used in core network deployment
It would now probably be better to abandon the RouterOS DNS resolver development, reduce it back to a pure resolver as required in a home router, and promote the use of a docker container for advanced DNS...if you want to win some bonus points, you need to come up with a way to support both behaviours. :)
Well you'd lose DNS being script-able. And BIND likely works as container today. It's the in-between use case the just "use my ISPs" and learning zone files where better built-in DNS be useful – glad MT looking at.It would now probably be better to abandon the RouterOS DNS resolver development, reduce it back to a pure resolver as required in a home router, and promote the use of a docker container for advanced DNS...
I'd rather if they didn't. It's my fear of containers, that they could serve as excuse for MikroTik to not implement some things that would otherwise make sense to have in RouterOS. And I'm glad that so far (and hopefully forever) it doesn't happen. Containers should be for rare special things. That's not the case with these (if differs slightly for each).Now that we have containers, it may be time to leave some things in the dust (like SMB server, proxy, hotspot, and apparently also DNS resolver) and focus on routing again.
The problem I have with tinkering with the DNS resolver is that this is a crucial part of functionality for many users, and for the sake of implementing some infrequently used new features they break the basic functionality for users of cloud services every time.Specifically for DNS resolver, what they are trying so far with it is perfectly within a scope of what I expect from advanced router. It just needs more internal testing, more thought given to what might be breaking change for some, perhaps ask users in advance about required use cases, etc.
I don't think Mikrotik is pitching their DNS feature as a BIND alternative or looking to be one. Nor could they, DNS assumes the server has some domain that's be delegated from "above" (or top-level domain)... so without a FQDN, you're already off the track.There's no change Mikrotik will be able to maintain fully functional RFC-compliant DNS resolver.
....
Now that we have containers, it may be time to leave some things in the dust (like SMB server, proxy, hotspot, and apparently also DNS resolver) and focus on routing again.
Home router vendors don't attempt to develop DNS resolvers. Most use Dnsmasq, a very mature open source DNS resolver.
Yet a DNS server is a a feature on nearly all home routers, and most have similar odd schemes to deal with hosts. Why? Because there is a need to do resolution locally on a small network without a lot IT infrastructure. Like most things in Mikrotik, just don't use the feature – a "real" DNS does makes sense in a lot of case.
FWIW, possible as Alpine-based container, an image with BIND as recursive resolver is 28Mb.790KiB to install BIND9 [...]. Looks like a full fledged BIND isn't impossible.
FROM alpine:3.12.0
RUN apk add --no-cache bind
RUN cp /etc/bind/named.conf.recursive /etc/bind/named.conf
EXPOSE 53
CMD ["named", "-c", "/etc/bind/named.conf", "-g", "-u", "named"]
It is worse: it is not ideal for typical home usage, where a router is between the home network and internet, and advertises its own address as a resolver for the local devices.I do share your concern that their DNS would not be ideal for more "enterprise" things.
Or, OpenWRT with DNSMasq and a GUI is only 11MB.FWIW, possible as Alpine-based container, an image with BIND as recursive resolver is 28Mb.Code: Select allFROM alpine:3.12.0 RUN apk add --no-cache bind RUN cp /etc/bind/named.conf.recursive /etc/bind/named.conf EXPOSE 53 CMD ["named", "-c", "/etc/bind/named.conf", "-g", "-u", "named"]
I'd prefer Unbound over BIND, especially as it has supplanted BIND in both Freebsd and OpenBSD:I wonder. The new generation has more RAM, and more storage. At what point will be more easy, and cost effective, to just ship one BIND version? I know, i know. Huge. Extremely feature rich. Bloated. But...
I just looked up. My OpenSuse desktop says it needs about 790KiB to install BIND9. i know, I know. Dependencies and whatnot. Well, we already have a full Linux system with RoS. OpenWRT says it needs less than 200Kib to BIND.
So. Quite doable, i think. 300KiB (I'm being generous) of storage and... 4 MiB of RAM? It would be a problem for 64miB devices. It would be tight for 16MiB storage devices.
But... We are usually seeing more than 128 MiB of RAM, and 1GiB storage looks like the "new normal". Looks like a full fledged BIND isn't impossible.
There is actually arm & "distroless" version of Unbound DNS: https://hub.docker.com/r/klutchell/unboundI'd prefer Unbound over BIND, especially as it has supplanted BIND in both Freebsd and OpenBSD:
https://en.m.wikipedia.org/wiki/Unbound_(DNS_server)
.v7.6 and also v7.7rc3 are messing up with Hotspot/Cookies timeouts on reboot. .......
Support ticket already filled as SUP-102839
Any news on fixing SFP DDM / SFP details on "hEX S" RB760iGS?
It worked in V6 but stopped working in V7 with many reports.
Can someone at Mikrotik acknowledge or confirm the issue?
This is an automated message. Our bug tracker reports, that your issue has been fixed. This means that in the upcoming days, we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out soon. To be sure this specific fix is included, read the changelog when the next version comes out. If your issue is not mentioned, it might mean it will be in the next release.
I think it will be somewhere at 2033. :) They cannot fix yet standard functionality like VPRN already more than year. And it block upgrades.I'd love to see VTI implemented on RouterOS, but I kinda lost hope. I'd even gladly swap Wireguard for VTI.
is there something to read about this in detail?What's new in 7.7rc4 (2023-Jan-03 13:13):
*) bgp - fixed BGP advertisement PCAP saver;
viewtopic.php?t=180185#p920879is there something to read about this in detail?What's new in 7.7rc4 (2023-Jan-03 13:13):
*) bgp - fixed BGP advertisement PCAP saver;
Yes! I had that before, but long ago. It happened when my router was upgraded from v6 to v7, then after every reboot (including upgrade requiring a reboot) some things would be lost.Hi,
I am not entirely sure if I just have some amnesia or doing some sleepwalking, but I have apparently lost some of my config items after upgrading from 7.7rc3 to 7.7rc4.
I had a config export script and a GRE tunnel config, which both have worked yesterday. Today those were missing from the config.
Actually I might just have unwillingly set safe mode, then somehow managed not to unset it before leaving my PC, but I'm not so sure.
Has something similar happened to anyone else?
thank you very much
We have received several reports about issues with the DNS cache in v7.7rc but so far none of them have had some precise examples. Please, if someone can reproduce the problem with the DNS cache, then provide step-by-step instructions on how you manage to see the problem. At the moment we are not aware of any reproductive issues. Please note that we are not denying an issue - simply we are not being able to reproduce such a problem at the moment and unfortunately, so far we have not managed to guess how to reproduce it. We are looking for a "/ip dns export" configuration which we can apply and then trigger the issue from a remote device by using this router as a DNS cache.
The main reason was a few extra byte of MTU, I guess.... I cannot understand why Cisco had to invent the new nonstandard VTI protocol for something that was already covered (and implemented by them!) before as IPIP over IPsec transport mode (or GRE over IPsec transport mode).
Hi! I have done just that: netinstalled my rb5009 with a fresh 7.7rc4 from a 7.7rc4, then I imported back my config, which was exported by "export terse show-sensitive".I fixed that by exporting the config (remember show-sensitive option), installing the router using netinstall with no config, then connecting via MAC address and uploading and importing the config again.export terse show-sensitive
At that time it was also required to re-arrange the config export a bit because the sequence was wrong in the ipv6 section, but that has been fixed I think.
After that operation, I have not seen it again. I think the upgrade procedure causes subtle corruption of the underlying config database. Import (not backup restore!) seems to fix it.
Maybe it is sufficient to just to "reset configuration without defaults", I don't know. I did the netinstall.
/ip vrf add interfaces=*B name=vrf1
Also: reduced complexity & a bit better performance. Btw. almost every other vendor followed.The main reason was a few extra byte of MTU, I guess.... I cannot understand why Cisco had to invent the new nonstandard VTI protocol for something that was already covered (and implemented by them!) before as IPIP over IPsec transport mode (or GRE over IPsec transport mode).
this happens in v7.6 (stable) too it seems:We have received several reports about issues with the DNS cache in v7.7rc but so far none of them have had some precise examples. Please, if someone can reproduce the problem with the DNS cache, then provide step-by-step instructions on how you manage to see the problem. At the moment we are not aware of any reproductive issues. Please note that we are not denying an issue - simply we are not being able to reproduce such a problem at the moment and unfortunately, so far we have not managed to guess how to reproduce it. We are looking for a "/ip dns export" configuration which we can apply and then trigger the issue from a remote device by using this router as a DNS cache.
Regarding mentioned DNS issue. I have tried DNS Benchmark application https://www.grc.com/dns/benchmark.htm and cache is filled by quite unusual amount of broken records 0.0.0.0. See printscreen. It might help. This case is quite reproductible. I have tried the latest test version 7.7RC4 on hAP ac^2 256MB RAM.
Does it indicate any error in the retrieved results? Or is that tool not checking results carefully?Regarding mentioned DNS issue. I have tried DNS Benchmark application https://www.grc.com/dns/benchmark.htm and cache is filled by quite unusual amount of broken records 0.0.0.0. See printscreen. It might help. This case is quite reproductible. I have tried the latest test version 7.7RC4 on hAP ac^2 256MB RAM.
7.7 rc3 confirm problems with dnspe1chi - Your ticket was replied to at the same time when my previous post was made. At the moment there are no known and reproduced DNS problems for us (which would be introduced in v7.7). We do now that your ViaPlay service is not working as expected since 7.7rc3, but so far there is no information on how to reproduce such problem. If we try to use ViaPlay, then we do not see such an error and we have not received any other reports about such problem from anyone else. We of course want to figure out what is the issue here.
We managed to figure out what are those "0.0.0.0" entries in DNS cache. First of all - 0.0.0.0 is not an IP address. That is just a WinBox visual interpretation of "empty" value. These entries in cache that does not have a type, data and flags are "unknown type entries". For example, RRSIG entries. You can easily see them in cache if you test it with - "host -t RRSIG google 10.155.114.1". They are harmless entries and to not affect DNS cache work with valid entries.
What other info do you require to solve this? A trace of a run of the app with working DNS resolver?
I'm running 7.7rc4 and I'm not experiencing issues with DNS. I've even signed up for a trial of Viaplay to see if I can recreate the issue, however it works great via the browser and IOS app.That is funny, in viewtopic.php?p=974747#p974747 you wrote that there were several reports about DNS issues and now you write you have not received a report from anyone else.
Look, I can work around it by setting another resolver than the MikroTik, but I expect a lot of confusion when this goes into release and people install it and complain about their Viaplay (or other cloud service, see the other reports) to them. They already have a bad reputation about "always problems when you want to watch your sports event", and adding external factors like a DNS resolver will not help that.
I don't know if the Viaplay app is the same in all countries.
What other info do you require to solve this? A trace of a run of the app with working DNS resolver?
I see the issue on my Android TV devices with the Viaplay app on them.I'm running 7.7rc4 and I'm not experiencing issues with DNS. I've even signed up for a trial of Viaplay to see if I can recreate the issue, however it works great via the browser and IOS app.
My only static entry is "add name=use-application-dns.net type=NXDOMAIN". I have configured the resolver both on IPv4 and IPv6 and annouced it to the network.I don't have any static entries in my config and I'm using a combination of IPv4 and IPv6 DNS resolvers.
I do have IPv6 and the TV uses IPv6 to do its lookups, the next DNS server at the provider is also IPv6. I never considered that to be a factor.One question I do have, do you have IPv6 on your network? The default Mikrotik config will share your ISP's IPv6 via neighbour discovery... Could this be the cause?
When the record does not exist, the DNS server for the zone which has the authority for the zone must respone with NXDOMAIN response, which has AA (authority) flag and is eligible to be cached for the duration of 'negative TTL' which comes from the lowest of value in SOA record returned with NXDOMAIN answer and it's TTL.
Similarly here: if a client queries recursive DNS server for a particular DNS record (and client has all right to assume server is recursive) and DNS server doesn't return requested record (e.g. because it doesn't exist), then why should client barf if it doesn't receive SOA record?
I can observe similarly different behaviour (between MT's DNS server and proper BIND9 server) when records are actually successfully returned: MT's DNS server only returns requested records while BIND9 returns also authority section with listed root servers. This difference doesn't seem to bother Viaplay app?
I have put the ISP DNS as the DNS in the IPv6 ND configuration (instead of the MikroTik address), and restarted the TV.If that’s the case, the Mikrotik really shouldn’t be altering the reply as it passes through. Hopefully Mikrotik can use this to help resolve the problem.Actually I have seen in the trace that the ISP reply is the same as the Google reply. So it probably does not change anything. I can test it later tonight.
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
auth.split.io: type AAAA, class IN
Name: auth.split.io
[Name Length: 13]
[Label Count: 3]
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
auth.split.io: type AAAA, class IN
Name: auth.split.io
[Name Length: 13]
[Label Count: 3]
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
Authoritative nameservers
split.io: type SOA, class IN, mname ns-877.awsdns-45.net
Name: split.io
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 416 (6 minutes, 56 seconds)
Data length: 72
Primary name server: ns-877.awsdns-45.net
Responsible authority's mailbox: awsdns-hostmaster.amazon.com
Serial Number: 1
Refresh Interval: 7200 (2 hours)
Retry Interval: 900 (15 minutes)
Expire limit: 1209600 (14 days)
Minimum TTL: 86400 (1 day)
05:06:53 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0-latest
05:06:53 system,info item added by cesar
05:06:53 container,info,debug unexpected response from container registry: resolving error
05:06:53 container,info,debug was unable to import, container 4a07240c-862b-4861-a16a-68605478ad54
05:07:11 container,info,debug removing files, container 4a07240c-862b-4861-a16a-68605478ad54
05:07:11 system,info item removed by cesar
05:07:15 container,info,debug importing remote image: zabbix/zabbix-proxy-sqlite3, tag: alpine-6.0-latest
05:07:15 system,info item added by cesar
05:07:18 container,info,debug getting layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4
05:07:19 container,info,debug layer sha256:6875df1f535433e5affe18ecfde9acb7950ab5f76887980ff06c5cdd48cf98f4 downloaded
05:07:19 container,info,debug getting layer sha256:8412d3537cddbbbb5c1fcaa344f3844385abc15e316ff133a1f8dc5bbe3b8c9e
05:07:20 container,info,debug layer sha256:8412d3537cddbbbb5c1fcaa344f3844385abc15e316ff133a1f8dc5bbe3b8c9e downloaded
05:07:20 container,info,debug getting layer sha256:b690d3b3edd47413b51c84a19f197b3c40fadd377dd47590de52cb050cf4467b
05:07:21 container,info,debug layer sha256:b690d3b3edd47413b51c84a19f197b3c40fadd377dd47590de52cb050cf4467b downloaded
05:07:21 container,info,debug getting layer sha256:e3ccac81ac2e45b899651f6527cce71f4f02177b7bf7e9781e984b586ead63c4
05:07:22 container,info,debug layer sha256:e3ccac81ac2e45b899651f6527cce71f4f02177b7bf7e9781e984b586ead63c4 downloaded
05:07:22 container,info,debug getting layer sha256:bf066b812416ea2a698f96c84fc47598a9aab03bbc710a4e959ba2f1e06b22b1
05:07:23 container,info,debug layer sha256:bf066b812416ea2a698f96c84fc47598a9aab03bbc710a4e959ba2f1e06b22b1 downloaded
05:07:23 container,info,debug getting layer sha256:96f71e664b34d405db7d7989a86904cdf3c922962c12eee695ecaaf50506ea46
05:07:25 container,info,debug layer sha256:96f71e664b34d405db7d7989a86904cdf3c922962c12eee695ecaaf50506ea46 downloaded
05:07:28 container,info,debug getting layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
05:07:31 container,info,debug layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 downloaded
05:07:31 container,info,debug getting layer sha256:e88bc30177987201958bf875419072c8392b98f59a71bbdee5ee19996704c32d
05:07:32 container,info,debug layer sha256:e88bc30177987201958bf875419072c8392b98f59a71bbdee5ee19996704c32d downloaded
05:07:32 container,info,debug import successful, container 6854c06d-c61c-4b53-9ae5-c1fe0d4a2045
Finally fixed. I first observed this issue like over 2 years ago. Like mentioned here viewtopic.php?p=851445#p851445*) quickset - update DNS server IP address when changing router's IP address;
Well, but that is actually the correct and expected reply!This issue has been around for a long time and has been discovered since RouterOS v7 supported IPv6 NAT.
But I can't reproduce it every time. The issue is that when a client requests an AAAA record, RouterOS will randomly return NO_ERROR instead of Non-existent domain.
RouterOS will give clients "0.0.0.0" or "::" entries AAAA record to clients DNS cache, like RouterOS got "0.0.0.0" entries upsteam dns server that @strods said.
so clients will use :: to access server, will failed.
since a v7 release that I submit ticket it fix this, it less happen, but still have this issue and more randomly.
Do you have IPv6? Does the situation change when you temporarily disable IPv6 on the internal network?There is definitely a problem with DNS.
I don't have IPv6. IPv6 is disabled.Do you have IPv6? Does the situation change when you temporarily disable IPv6 on the internal network?There is definitely a problem with DNS.
FWIW I have had intermittent issues with streaming services from at least 7.6 (which I am currently running), as well as issues with Apple HomePods. I do have IPv6 internet. I am on an extended trip so cannot validate it’s the same issue/disable IPv6/change DNS issued by DHCP to be an upstream server vs the MikroTik device, but it sounds suspiciously familiar re: symptoms, to include periodic name resolution issues on page loads which I couldn’t explain. I am sorry I can not 100% validate, but this sure does sound like the right track to follow. Hopefully someone else running IPv6 on 7.6 + using the MikroTik resolver can validate.We have tested "dig -t AAAA auth.split.io" type requests and can confirm, that replies have "Authority RRs: 0". However, that is the exact same behaviour in v7.6 and v7.7rc. Can anyone confirm that the services which are not working properly with 7.7rc are indeed working with v7.6? Does DNS cache in that particular case indeed do return "Authority RRs: 1" in such scenario which would make us believe that services like ViaPlay do not work because of this AAAA reply?
external=1.1.1.1
while read host; do
if [ ! -z "$host" ]; then
local_reply=$(dig $host +short | sort)
external_reply=$(dig @$external $host +short | sort)
diff <(echo $local_reply) <(echo $external_reply)
if [[ $? -ne 0 ]]; then
echo "`date` - different - $host"
echo "local reply: $local_reply"
echo "external reply: $external_reply"
echo
else
echo "`date` - same - $host"
fi
fi
done <dns.names
It is probably no good to try to build test cases ourselves. That is why I was looking at the "unbound" test code as it appears to have many test cases and it has probably arisen from the many quirks that they have hit when developing "unbound".Maybe we can try to use a simple bash script, but the main question is how to build the list of the hosts.
16MB is bad but the SMIPS devices are much worse, as they do not have enough RAM either so the new version has to fit in the flash alongside the old one during update.Even the brand new 100G switch CRS504 has just 16MB of storage so that limitation is not going away any time soon.
Yes, this decision I can't understand. No need to 1GB storage (although it's nice to have it), but 128MB should be the bare minimum to everything.Even the brand new 100G switch CRS504 has just 16MB of storage so that limitation is not going away any time soon. This is a decision MikroTik has made and the price is them having to build everything from scratch because the standard approaches will not fit.
I think one of the reasons is that the interface technology for those flash chips changes at the 16MB mark. To have more, you either need to have a 16MB chip (to boot) plus some extra chip for more storage, or you would need to use different technology SoC that allows larger boot flash chips and probably costs more. Also, having two chips may mean that you need so many lines dedicated to interfacing the memory that you may not have enough left for other control purposes.Yes, this decision I can't understand. No need to 1GB storage (although it's nice to have it), but 128MB should be the bare minimum to everything.
totally agree here! 16MB is way too less flash.Yes, this decision I can't understand. No need to 1GB storage (although it's nice to have it), but 128MB should be the bare minimum to everything.Even the brand new 100G switch CRS504 has just 16MB of storage so that limitation is not going away any time soon. This is a decision MikroTik has made and the price is them having to build everything from scratch because the standard approaches will not fit.
Unless RAM disk for downloading upgrade npk files becomes a norm on all devices, minimum usable flash size is 128MB on devices with ac/ax radios (i.e. all wifi devices). I guess 64MB would be enough for wired-only devices (many people would not be happy about that, running containers seems to be the next fashion).TBH, no good reason if there were say 64MB at least of flash to have room for the update-npk
how come? where else is it stored then and applied at reboot?The update-npk is not stored in the flash except on SMIPS routers (toys).
It is stored in the RAMdisk which is available in all devices that have 16MB flash and 128MB or more of RAM (and from very recently can now also be enabled on devices with more flash, THANKS!).how come? where else is it stored then and applied at reboot?The update-npk is not stored in the flash except on SMIPS routers (toys).
thanks a lot for the clarification. always appreciate such insights
It is stored in the RAMdisk which is available in all devices that have 16MB flash and 128MB or more of RAM (and from very recently can now also be enabled on devices with more flash, THANKS!).
So that includes almost all new devices. The SMIPS routers (hAP lite and hAP mini) do not even have enough RAM for a RAMdisk, so they can store it only in flash.
I don't think they changed anything. As far as I remember working with Mikrotik, some versions just had slower development. Something like every 4th 6.x/7.x was slow to release. Or sometimes it even took them months to release a 6.x.y hotfix.I agree with taking time and releasing really stable versions.
It use to be crazy...no matter what kind issue was included in stable version or how many HW will be bricked but every month new "stable" version....
hap ac3 updated ok7.7rc5 (2023-Jan-11 13:20):
The key type in the public key file is "ssh-ed25519" so I'm wondering if RouterOS is expecting something different.
The key you can generate using ssh-keygen and you use to log in is a different thing.
insmod: /lib/modules/5.6.3/drivers/char/music_dog.ko failed: 22 Invalid argument
/routing/route/print count-only
it is a known bug, fixed but the fix not yet added to 7.7branchworking only without any where clause, otherwise returning always 0Code: Select all/routing/route/print count-only
@Winbox Routing/BGP/Sessions - "Prefix Count" always 0 /no release till now that work.../