MikroTik

RouterOS version 7.9beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.9beta4 (2023-Mar-23 15:01):

Changes in this release:

*) bgp - improved BGP VPN selection;
*) bridge - added warning log when "ageing-time" exceeds supported hardware limit for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) bridge - fixed FastPath when setting "use-ip-firewall-for-vlan" or "use-ip-firewall-for-pppoe" without enabled "use-ip-firewall";
*) certificate - fixed bogus log messages;
*) chr - fixed public SSH key pulling when running on AWS;
*) console - added "/task" submenu (CLI only);
*) console - added option to create new files using "/file add" command (CLI only);
*) console - improved stability when doing "/console inspect" in certain menus;
*) console - improved stability when editing long strings;
*) console - improved system stability;
*) console - removed bogus "reset" command from "/system resource usb" menu;
*) console - rename flag "seen reply" to "seen-reply" under "/ipv6 firewall connection" menu;
*) console - show Ethernet advertise, speed and duplex settings depending on configured auto-negotiation;
*) container - fixed invoking "container shell" more than once;
*) container - improved "container pull" to support OCI manifest format;
*) detnet - fixed interface state detection after reboot;
*) dhcp - changed the default lease time for newly created DHCP servers to 30 minutes;
*) dhcpv4-server - release lease if "check-status" reveals no conflict;
*) disk - improved system stability when removing USB while formatting;
*) ethernet - fixed half-duplex forced mode at 10Mbps and 100Mbps on ether1 for RB5009, Chateau 5G ax and hAP ax3 devices;
*) filesystem - fixed partition "copy-to" function;
*) firewall - added "connection-nat-state" to IPv6 mangle and filter rules;
*) health - added limited manual control over fans for CRS3xx, CRS5xx, CCR2xxx devices;
*) ipsec - fixed packet processing by hardware encryption engine on RB850Gx2 device;
*) ipsec - refactor X.509 implementation;
*) ipv6 - added "valid" and "lifetime" parameters for SLAAC IPv6 addresses;
*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
*) l3hw - improved route offloading for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) leds - disable LEDs after "/system shutdown";
*) lte - capped maximum lifetime of SLAAC address to 1 hour;
*) lte - fixed CA band clearing on RAT mode change;
*) lte - fixed duplicate IPv6 route for lte interface when "ipv6-interface" setting is used;
*) lte - fixed LTE interface not showing up when resetting RouterOS configuration;
*) lte - fixed passthrough mode when used together with another APN for Chateau 5G;
*) lte - fixed R11-LTE-US in LTE passthrough mode;
*) lte - fixed R11e-LTE-US reporting of RSSI in LTE mode;
*) lte - fixed re-attach in some cases where module would stay in not-running state after network detach;
*) lte - fixed second modem halt on dual R11e-LTE6 setup;
*) mpls- fixed LDP "preferred-afi" parameter;
*) netwatch - added "startup-delay" setting (CLI only);
*) netwatch - improved ICMP status evaluation when no reply was present;
*) netwatch - limit "start-delay" range;
*) ospf - fixed processing of fragmented LSAs;
*) ovpn - added support for OVPN server configuration export and client configuration import from .ovpn file;
*) quickset - fixed displaying of "SINR" when value is 0;
*) rose-storage - added option to nvme-discover with hostname (CLI only);
*) rose-storage - fixed crash on nvme-tcp disable;
*) rose-storage - fixed rsync transfer permissions;
*) rose-storage - various stability fixes;
*) route - fixed "dynamic-id" for VRF tables;
*) route - improved system stability when making routing decision;
*) route - show SLAAC routes under the "/routing route" menu;
*) route-filter - improved stability when matching blackhole routes;
*) routerboot - added "preboot-etherboot" and "preboot-etherboot-server" settings ("/system routerboard upgrade" required) (CLI only);
*) sfp - added log warning about failed auto-initialization on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules that hold "TX_FAULT" high signal all the time on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules with bad or no EEPROM in forced mode on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - fixed "rate-select" functionality on CCR2004-16G-2S+ and CCR2004-1G-12S+2XS devices (introduced in v7.8 );
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - improved module initialization and display more detailed initialization status on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - improved SFP28 interface stability with some optical modules for CRS518 switch;
*) sfp - improved system stability with some SFP GPON modules on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) socks - added VRF support;
*) ssh - added Ed25519 host key support;
*) ssh - do not allow SHA1 usage with strong crypto enabled;
*) ssh - improved service responsiveness when changing SSH service settings;
*) ssh - improved SSH key import process;
*) storage - mount RAM drive for devices with 32MB flash;
*) supout - added DHCP server network section;
*) switch - fixed ACL rules matching IPv6 packets when using only IPv4 matchers;
*) switch - improved system stability for 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) vrrp - added "self" value for "group-master" setting;
*) vxlan - added forwarding table;
*) vxlan - fixed packet drops when host moves between remote VTEPs;
*) webfig - added inline comments;
*) webfig - fixed "Destination" value under "MPLS/Forwarding-Table" menu;
*) webfig - fixed issue where "Certificate" value disappears under "IP/Services" menu;
*) webfig - fixed issue where entries might be missing under "IP/DHCP-Server" menu;
*) webfig - various stability fixes;
*) wifiwave2 - added "radio/reg-info" command to show regulatory requirements (currently implemented for 802.11ac interfaces) (CLI only);
*) wifiwave2 - added ability to configure antenna gain;
*) wifiwave2 - added ability to configure beacon interval and DTIM period;
*) wifiwave2 - added information on additional interface capabilities to radio parameters;
*) wifiwave2 - automatically add a VLAN-tagged interface to the appropriate bridge VLAN;
*) wifiwave2 - exit sniffer command and return error when trying to sniff on an unsupported channel;
*) wifiwave2 - fixed 802.11r roaming for clients that performed initial authentication with an AP which has been restarted since;
*) wifiwave2 - fixed issue of some supported channels not being listed in the radio parameters;
*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
*) wifiwave2 - fixed VLAN tagging for unencrypted (open) APs;
*) wifiwave2 - improved general interface stability;
*) wifiwave2 - improved regulatory compliance for hAP ax^2, hAP ax^3 and Chateau ax;
*) wifiwave2 - increased maximum value for "channel.frequency" to 7300;
*) wifiwave2 - show information on captured packets and added ability to save them locally in a pcap file;
*) winbox - added "MTU" and "Hoplimit" properties under "IPv6/Routes" menu;
*) winbox - added "Preferred AFI" property under "MPLS/LDP-Instance" menu;
*) winbox - added "S" flag under "IPv6/Firewall/Connections" menu;
*) winbox - added "Tx Power" property under "Wifiwave2/Status" menu;
*) winbox - added "Tx Queue Drops" property under interface settings "Traffic" tab;
*) winbox - added "Username" and "Password" properties under "Container/Config" menu;
*) winbox - added "Valid" and "Preferred" properties under "IPv6/Address" menu;
*) winbox - added missing properties for "Remote ID Type" under "IP/IPsec/Identities" menu;
*) winbox - changed route flag name from "invalid" to "inactive";
*) winbox - fixed "TLS" property under "Tools/Email" menu;
*) winbox - fixed "Type" property under "System/Disk" menu when "rose-storage" package is installed;
*) winbox - fixed default value for "Allow managed" property under "Zerotier" menu;
*) winbox - fixed duplicate "My ID" column under "IP/IPsec/Identities" menu;
*) winbox - fixed minor typo in "WifiWave2/Radios" menu;
*) winbox - fixed missing "Sector Writes" for certain devices under "System/Resources" menu (introduced in v7.8 );
*) winbox - improved Ethernet advertise, speed and duplex settings;
*) winbox - only show permitted countries for wifiwave2 interfaces;
*) winbox - show missing "Designated Bridge" and "Designated Port Number" monitoring data under "Bridge/Port menu;
*) www - allow unsecure HTTP access to REST API;
*) x86 - fixed changing software-id (introduced in v7.7);
*) zerotier - upgraded to version 1.10.3;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

nice work, thx

*) ipsec - fixed packet processing by hardware encryption engine on RB850Gx2 device;

What does it mean? What was the problem? Speedup in processing?

Mellanox ConnectX-6 recognized (MT2892 Family [ConnectX-6 Dx] (rev: 0)) but not supported.
Any words on when will be added?

*) ssh - added Ed25519 host key support;

This does not work for me... Still uses RSA host key, even after regenerating key(s).

And public key authentication with ed25519 keys will come later?

This does not work for me... Still uses RSA host key, even after regenerating key(s).

Oh, it is a setting in /ip/ssh/... Why not support both at the same time? Just let the client decide.

Again no BFD. It is becoming more and more like a clown show.

*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
I hope this not only happens when the address is deactivated but also every time the address is changed, like when a new address from a pool is assigned.

*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
I hope this not only happens when the address is deactivated but also every time the address is changed, like when a new address from a pool is assigned.

Yes it does.I have tested it successfully in my lab, changed the globally assigned prefix, router sends out RA with 0 to clients for old prefix.
Long story, but finally, no workaround scripts necessary anymore, Thanks Mikrotik!

Regards @colinardo

Thanks for testing colinardo, this is very good news, thanks Mikrotik!

Still, no OVPN fix on this release despite numerous reports about the instance kernel crashes from 7.8 RC to 7.9 B.

rose-manager still does not work with QNAP/Synology iscsi targets

*) ssh - added Ed25519 host key support;

Tried this, but importing an ed25519 hostkey on 7.9 beta4 (x86 CHR Image) does not work, see images how i generated the key and tried to import it


Also tried a RFC4716 converted key file, but this one also refuses to import

RSA works as normal, so what's the change here??

Regards @colinardo

As I wrote above... This is not (yet) about public key authentication. You now have the choice to use RSA or ed25519 host keys. You can see what host key type is used in the heading of randomart Image.

As I wrote above... This is not (yet) about public key authentication. You now have the choice to use RSA or ed25519 host keys. You can see what host key type is used in the heading of randomart Image.

I know, but this is the host key, i tried to import the hostkey for the router itself not for a user.

Impressive amount of work done here, regardless if what anyone specifically wanted didnt get done. The paperwork alone is not trivial, just imagine the testing and integration involved. Kudos to the dev team and test team.

Ahh found it, you have to set the key-type first:





But custom host keys in ed25519 format still will not import via import-host-key command after changing the setting above.

*) www - allow unsecure HTTP access to REST API;
Well, thank you very much! This will certenatly improve monitoring capabilities on all low-end devices like ap/lte/nr.

*) zerotier - upgraded to version 1.10.3;
That was very good news indeed!

However if I may make a suggestion, you should seriously consider bumping up to at least v1.10.6 since there are major problems in the previous versions regarding path-learning and max-paths with lingering dynamic addresss that may hit ipv6 usage.

When we upgraded to version 1.10.3 it was the latest one. We can't upgrade and release on the same day. We need to test it too

When we upgraded to version 1.10.3 it was the latest one. We can't upgrade and release on the same day. We need to test it too :)

So true, LARSA look at post #16 :-) My impatient vampire mouse. That is why I am not clamouring for the ZeroTrust Cloudlfare Tunnel options package (for all mt users) on every beta release as I know these things take time. ;-))

Well, I admit that I must have really expressed myself extremely clumsily if it was perceived that it should have been done ALREADY! 😘 But as I said, "someone" should consider a bump to v1.10.6 as soon as possible to avoid angry Android and ipv6 users.

Otherwise it looks like a grand update!

Btw, what is that ZeroTrust Cloudlfare Tunnel thingy you are talking about all the time! 😋

EDIT:
It would be very practical if one could have access directly to local.conf using the cli. In this way, it would be possible to configure all possible settings such as TrustedPath, Multipath, BondingProfiles, etc without having to add all bells and whistles to Winbox. I'll create a feature request to get a feeling what people think about it.

Well, I admit that I must have really expressed myself extremely clumsily if it was perceived that it should have been done ALREADY! 😘 But as I said, "someone" should consider a bump to v1.10.6 as soon as possible to avoid angry Android and ipv6 users.

Otherwise it looks like a grand update!

Btw, what is that ZeroTrust Cloudlfare Tunnel thingy you are talking about all the time! 😋

...
Hi Larsa, ZeroTrust CLoudflare tunnel, is a way to permit all MT home users and possibly SOHO users to host servers of any ilk ****,, in a safe secure manner. Imagine a way to host your server WITHOUT EXPOSING YOUR PUBLIC IP. Imagine a forum where one cannot find a single thread that with obscene GARBAGE firewall rule setups so twisted from 50 youtube videos for port blocking adding to firewall lists etc etc.......... I mean zerotrust cloudflare tunnel = MTs philosophy of flexibility, practicality, efficiency AND SECURITY. An options package would allow this from all MT devices.

**** For some reason MT is unable to or doesn't want to recognize the number of users running servers and the number of new users joining the MT world that want to run servers. Its a no-brainer imho!

*) ovpn - added support for OVPN server configuration export and client configuration import from .ovpn file;

Would this finally solve problem with client authentication via static key?

When we upgraded to version 1.10.3 it was the latest one. We can't upgrade and release on the same day. We need to test it too :)

Super excited about this!! Thanks to MikroTik and ZeroTier for getting that updated :)

Just upgraded an RB4011 and RB5009 i'm using as ZT gateway routers in our corp network.

upgraded my hap ax3 from 7.8 to this release, an iPhone X and an iPhone 14 Pro can no longer connect to my WPA3-PSK network. Both asking for a password, if entered again, “incorrect password”. A MacBook Air was able to connect. Still investigating what’s wrong.

EDIT: Not a single 5Ghz enabled device was able to connect including the perviously working Macbook. I know sae-pwe=hunting-and-pecking is needed to allow clients to connect. I tried all 3 options without success.
A diff of the working 7.8 and 7.9b4 config showed no changes in /int/wifiwave2/.
The error I saw in the log was: 5C:3E:1B:XX:XX:XX@W5.LAN disconnected, key handshake timeout, signal strength -77
Disabling/Enabling the interfaces didn't help, only a reboot of the router restored connectivity. It seems the driver or something else just crashed :S

EDIT:
It would be very practical if one could have access directly to local.conf using the cli. In this way, it would be possible to configure all possible settings such as TrustedPath, Multipath, BondingProfiles, etc without having to add all bells and whistles to Winbox. I'll create a feature request to get a feeling what people think about it.

Isn't it the case that 90% of the point of RouterOS and its management tools is to wrap all the underlying nonsense in a consistent management interface? If you want to twiddle with text files, install OpenWRT.
The corollary of that is that every parameter has to be available so that you don't need to get up to your nuts in text files.

@osc86, sae-pwe=hash-to-element | hunting-and-pecking always had problems with this.

Isn't it the case that 90% of the point of RouterOS and its management tools is to wrap all the underlying nonsense in a consistent management interface? If you want to twiddle with text files, install OpenWRT. The corollary of that is that every parameter has to be available so that you don't need to get up to your nuts in text files.

Reply in viewtopic.php?p=991971#p991971

No obvious troubles on RB5009, hAPax3 and RB1100 - ZT works well enough that came back after the update at least :).

The corollary of that is that every parameter has to be available so that you don't need to get up to your nuts in text files.

Agreed. But yeah bonding mode was one I was hoping for here...

viewtopic.php?p=985182#p984976

Fixed, thanks MikroTik!

This is the beta last 10 years with most changes in on go. 113 :)
Hope MT will release 7.8.1 to come closer to a long time release.

This changelogs just too good man

why are messages being deleted? When will BFD be added?

why u guys forcing for BFD?
We had this feature enabled between mt and cisco,lot of issues
Also i'm trying to do not use BFD on v6 as much as possible, i found works better.

@nichky
Amen...
Better work to have again the separate web interface for the user-manager or at least leave the users use previous "v6" user-manager.

why are messages being deleted? When will BFD be added?

For 2 reason: that messages are offtopic, and as required by forum administrator is not strictly related to this particular RouterOS release.
And also if the administrator delete your message, is a good idea rewrite it again, or ask why is deleted???
You generate again offtopic messages and relative reply, like this.

Great fix list with some long-standing issues fixed, but still no working MPLS experimental bits. I have a large network that relies on this for QoS and we can't move to v7 until this is working, similar to the situation with others who need BFD for v7.

wifiwave2 - improved regulatory compliance for hAP ax^2, hAP ax^3 and Chateau ax;

Would be interested in some details of what changed.

My ISP give me IPv6 address range by DHCPv6 on PPPoE connection. Yesterday I upgraded my capAC (what I use as router) from 7.8 to 7.9b4 and after that I cant get the IPv6 range, DHCP client in search state. I will try to downgrade. Does have anyone similar problem?

PS:

There was a misconfiguration in dst-NAT (I allowed from every address on in interface, now only from 2000::/3 and the fault not appeared instant), now I get the prefix from ISP.

on 7.9beta4 and intel XXV710 for 25GbE SFP we still get random reboot.
ticket [SUP-110894] and updated with latest supout.
Seems the driver introduced in 7.8 is not going well.
regards

*) console - added option to create new files using "/file add" command (CLI only);

Thanks! That makes future deployments so much easier!

Hi,

Problems with DNS (DoH) in chrome browser, All queries give:
With mozilla there is no problem, back to version 7.8 everything is fixed.

Regards,

Still no "/ip route check x.x.x.x" reappiring on the v.7 scene, super usefull for troubleshooting (and PRESENT in v.6).
It's simply the "ip route get" linux equivalent, come on ..a couple rows of code!

5Ghz radio again not authenticating clients after ~12h uptime. Nothing but a reboot seems to fix it. Am I the only one having these issues on the hap ax3?

Hello,

I installed this beta version on my rb5009 and I can confirm, the issue with sfp gpon module (FS GPON-ONU-34-20BI) not detected is gone.
One issue remains with this module, indeed when rebooting the router the module is not restarted (I have then to manually reboot the module), and in my case if I don't do it I'm limited to 30 MB/s, instead of 500 MB/s.

Not specific to this release, but bridge filter rules still disable fast track on rb5009, where it's not the case on rb4011. To avoid this it might even better to implement new-vlan-priority switch rule on marvel 88E6393X.

Regards,

5Ghz radio again not authenticating clients after ~12h uptime. Nothing but a reboot seems to fix it. Am I the only having these issues on the hap ax3?

I'm experiencing this on wifi3 (faster of the two 5Ghz) on a Mikrotik Audience.

indeed when rebooting the router the module is not restarted (I have then to manually reboot the module), and in my case if I don't do it I'm limited to 30 MB/s, instead of 500 MB/s.

How do you receive WAN IP by PPPoE or IPoE(DHCP)?

How do you receive WAN IP by PPPoE or IPoE(DHCP)?

I receive my wan ip by dhcp (my isp is Orange France), of course a release/renew of the dhcp client do not help.
Just a reboot of GPON module solve the issue.

Problems with sfp was not fixed.
Tested on a rb5009 and ccr2004. after update no optical link. only phisical reinsert sfp module solves the problem.

we need sfp powe reset option. add please.

5Ghz radio again not authenticating clients after ~12h uptime. Nothing but a reboot seems to fix it. Am I the only one having these issues on the hap ax3?

Not at the moment, 5 GHz is working fine (hAP ax3 and hAP ax2) ... but it's only been 24h
PS. I use only WPA2

Hello,

I think I found one bug, with ipv6 prefix.

I added a second dns server in /ipv6/nd/interfaces on the default one (I have three interfaces in total), it resulted in the prefix being flagged as invalid, and I was unable to get it back to the valid state. The only solution I found was to reboot the router.
Removing the second dns server didn't solve the issue, the prefix stays invalid. It might be related to one these:

*) ipv6 - added "valid" and "lifetime" parameters for SLAAC IPv6 addresses;
*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;

The same configuration works fine in 7.7 and in 7.8, as thanks to the changelog, I was able to find a solution to my gpon module not being detected

sfp - allow modules that hold "TX_FAULT" high signal all the time

by doing the following: https://hack-gpon.github.io/ont-fs-com- ... lt--serial
And so I was able to finally use 7.8 version.

excessive quotation removal

Hi,
What GPON module do you use and what was the issue please ?
I am using a GPON SFP from FS.com for a French ISP (Orange) and have to keep it in a CRS305 to workaround compatibility issue with CCR.
Does the 7.9 firmware work better for you ?
Thanks ?

@cyayon

I'm using the same gpon module as you, for the same isp but on another hardware rb5009.
And following the instructions from here: https://hack-gpon.github.io/ont-fs-com- ... lt--serial solved the issue, of the module not being detected.
Yes it was working in both configuration in 7.9 beta, but then I'm facing the bug I described with prefix being marked as invalid. So I reverted to 7.8 after applying the fix I linked.

Thanks.
As i know, this GPON have different issue on CCR. Than are going crazy and PSU switch to fail mode.
I am not sure, but i think that the GPON was working correctly on rb5009 but with v7.7. The v7.8 introduced a regression.

Did you try the GPON without the modification on v7.7 ?

@Cyayon, yes it’s working fine in v7.7 without the modification, indeed v7.8 introduced this bug, it also introduced some nice features for DOH.

Thanks. I think that CCR and RB5009 have different issues. Hope that v7.9 will finally made this SFP work as expected.

*) console - added "/task" submenu (CLI only);

looking forward to see all the task command in a manual

task -- commands related to background task handling

looking forward to see all the task command in a manual

True. Quick summary is it's the UNIX `bg` / `fg` / `jobs`, or poor-mans `tmux`.

But at least with this one:

*) console - improved stability when doing "/console inspect" in certain menus;

should be able to ferret out cases where F1 (CLI help) pretty quickly. (see viewtopic.php?p=966725&hilit=inspect#p966543, /console/inspect with "syntax" crashed which ironically prevented from finding cases where the help for an argument was empty string)

But I'm more convinced by each release they use Ouija board with Latvian symbols to pick what gets fixed. ;)

what is the differences between
start-delay & startup-delay ?

Upgraded AC3 and AX3.

Log for AX3 shows:

error while running customized default configuration script: no such item

/system default-configuration print
Seriously ?? /Interface wireless on AX device ???

On AC3 this error is not shown, default script is also a LOT longer (and DOES take into account possible presence of wifiwave2 interfaces).
Attached default script for AX3 as it is now.

SUP-111720 created

AX3 does seem to work correctly after startup from what I can see (a couple of wifiwave2 SSIDs using VLAN, wireguard, DHCP, some firewall rules, nothing fancy)

Those scripts are not written to be failure resilient, and that is often difficult to do in RouterOS scripting anyway.
Installing (or not installing) optional packages makes RouterOS commands appear and disappear, and that is difficult to handle in a script.
However, those scripts are normally not important once you have configured the router, they are only intended for the first run or when you choose not to have the default config (also on first run).

And yet it was run on a preconfigured device.
Also, on AC3 that error was not shown. Because there the default script was correct. So it can be done correctly.

If on AX3 the default script refers to /interface wireless, that's dead wrong because there is no such thing on an AX-device. Only /interface wifiwave2.

But you get the same RouterOS on your ax3 than others are using on an ac3 etc. So it is difficult to get it right.
(I think it is actually a big advantage of MikroTik: the same RouterOS on many different devices, both old and new. I am happy to accept such minor inconveniences for having such a generic software that will remain supported long after the devices are not sold anymore)

You're completely missing the point and it even gets better ...

1) why is that script run to start with ?
2) it doesn't throw errors on AC3 but that's because it ONLY tests for wifiwave2 interfaces when not in caps mode (for caps mode it only tests for wireless). So because I have wave2 on my AC3, it passes without a problem here (for this config).
3) script on AX3 only has 100 lines (it's only the caps part, as a reference, the current 7.9b4-AC3 script has 325 lines but as indicated in point 2, it's also wrong)

I understand what you are referring to but if those scripts are to be used as default config on pristine devices, they need to be correct !

Any news on fixes for 802.1X (dot1x) which broke in 7.8 for CRS326-24G-2S+?

Neither 7.8 nor 7.9 detail changes for dot1x, so this breaking was unexpected. Problem is essentially that devices don't stay authorised...

Reported here:
viewtopic.php?t=193986#p990192

You're completely missing the point and it even gets better ...

I'm not going to spend time on useless discussions like this. Read the comment in the script.

@holvoetn
Wrap the script in { }, remove all tabs and spaces in front of each line, send it to terminal and look for what is marked as red.

Eksample:
And as pe1chl writes, read all comments inn the script.

If on AX3 the default script refers to /interface wireless, that's dead wrong because there is no such thing on an AX-device. Only /interface wifiwave2.

It would be. BUT I'm not sure this is a generic problem. Or related specifically to v7.9 upgrade.

I have two test hAPax3, and they contain the full defaults, both correctly use wifiwave2. Only change in defconf between v7.8 defaults and v7.9beta4 is a stylistic choice in setting lease-time implicitly in 7.9 vs being explicit:

NOW your default-configuration looks to have an issue. But have you ever used netinstall, branding package or restored backups on this unit? That cause could cause this kinda thing since if replaced by a user tool, that's usually sticky in the defconf and won't be "upgraded".

Maybe there is bug here, but it's NOT the default configuration is generically broken for hAPax3.

Impressive amount of work done here, regardless if what anyone specifically wanted didnt get done. The paperwork alone is not trivial, just imagine the testing and integration involved. Kudos to the dev team and test team.

100% true. good someone pointed it out.
regardless the BFD topic, people getting more and more impatient and less understanding.
all that stuff needs to undergo comprehensive testing.
and if one just takes in account for at least 2 sec. how many possible and even weird implementations and setups exist where mikrotiks are a core part of that or even enable some certain setups everyone should step a little back and honor the work the dev and test teams accomplish!

ATLGM from 7.8 -> 7.9beta went brick. Netinstall accepted only 7.8.
ATLGM has APN passthrough with minimum defoult configuratin.
This is it there, no FW, just passthrough, VLAN for admin and scheduler.

hAP ac3 RBD53iG-5HacD2HnD with wifiwave2 still dont sport VLAN.

hAP ac3 RBD53iG-5HacD2HnD with wifiwave2 still dont sport VLAN.

Code: Select all

# mar/26/2023 20:34:29 by RouterOS 7.9beta4
# software id = WYZC-DIZ1
#
# model = RBD53iG-5HacD2HnD

/interface/wifiwave2> print 
Flags: M - MASTER; B - BOUND; X, I, R - RUNNING
Columns: NAME, CONFIGURATION.MODE, CONFIGURATION.SSID
#     NAME   CONFIGURATION.MODE  CONFIGURATION.SSID
;;; client was disconnected because could not assign vlan

Unfortunately I suppose it's not a bug just a new feature :-( because instead of fixing it MT have added "Default VLAN id to assign to clients connecting on the interface, this setting is only supported on 802.11ax interfaces. Default: none." in the documentation.

any info about "preboot-etherboot" and "preboot-etherboot-server" ?

any info about "preboot-etherboot" and "preboot-etherboot-server" ?

https://help.mikrotik.com/docs/display/ ... tetherboot

Thanks @Reinis

still i don't have clear picture.
How this can be useful remotely?
if i cant log in to it, (improperly installed version) how this can help?

any info about "preboot-etherboot" and "preboot-etherboot-server" ?

https://help.mikrotik.com/docs/display/ ... tetherboot

Very nice feature! Thanx.

How this can be useful remotely?
if i cant log in to it, (improperly installed version) how this can help?

As many nice features it only becomes usable after device was upgraded to 7.9+

If device becomes corrupt after it was upgraded to 7.9 and properly set up, it can be remotely netinstall-ed ... Of course, one has to have netinstall server ready on remote location as well. Which somehow narrows down usability of this feature ... but it's still useful never the less.

One use case, even for local deployments: quite often I find that RB doesn't really want to enter netinstall mode using button press method. But if I set /system/routerboard/settings/set boot-device=try-ethernet-once-then-nand, then the chances of getting netinstall working are much higher. However, the mentioned (traditional) setting means that a) device has to be working properly prior to attempts to netinstall it and b) in case netinstall doesn't start, setting has to be changed again. With newly introduced settings it is possible to make the etherboot/netinstall permanent setting, but there are gotchas. One of them being that etherboot works via ether1, which is WAN interface by default.

As anticipated by me in 7.8, it is a prelude to Netinstall directly from RouterOS...
viewtopic.php?t=193986#p986905

How this can be useful remotely?
if i cant log in to it, (improperly installed version) how this can help?

As many nice features it only becomes usable after device was upgraded to 7.9+

If device becomes corrupt after it was upgraded to 7.9 and properly set up, it can be remotely netinstall-ed ... Of course, one has to have netinstall server ready on remote location as well. Which somehow narrows down usability of this feature ... but it's still useful never the less.

I think it is very useful! In many remote locations, we have a MikroTik router connected to the network and some AP high on the roof, very difficult to go there to press reset.
With this feature we can re-install the APs when required.
Previously I too have set devices to "try-ethernet-first-then-nand" to accomplish this (in case netinstall required in the future) but unfortunately it resets after every reboot.
(which for that setting of course is required to boot at all, because the "try ethernet" has no timeout in that case)

thanks all

does that mean that MT can be netinstall servers?

Yes, probably DHCP-server bootp & TFTP server (both already existant) can be used on future for netinstall the devices

Nichky - startup delay is time to wait until starting Netwatch probe after the system startup, by default it is 5 minutes. It is only active once after boot, as opposed to start-delay, which will be used every time probe is adjusted. Startup delay is for avoiding false positive "down" results after reboot. Similar to how ping watchdog startup delay works.
Documentation has been adjusted.

@Guntis: when you have time to work on netwatch, and the "routing" people obviously make no progress in their BFD "work in progress", please consider giving us a BFD "type" in netwatch.
It only has to support simple single-hop echo mode (UDP port 3784) without complications such as password etc, compatible with v6 BFD.
You would help a lot of users that want to migrate to v7 but need BFD to monitor their tunnels and links!

Yes, probably DHCP-server bootp & TFTP server (both already existant) can be used on future for netinstall the devices

Is netinstall-on-routeros in v7.9 and I'm missing something?

It's possible the log topic is about the etherboot-server setting discussed here...

@Amm0:
viewtopic.php?t=194781#p992407

Only change in defconf between v7.8 defaults and v7.9beta4 is a stylistic choice in setting lease-time implicitly in 7.9 vs being explicit:

Well spotted, but it's not just a stylistic choice. The default DHCP server lease time for newly created servers has been increased to 30 minutes and the default configuration adjusted so as not to override it.

The default DHCP server lease time for newly created servers has been increased to 30 minutes

Welldone... 10m is too little time...

The default DHCP server lease time for newly created servers has been increased to 30 minutes

Welldone... 10m is too little time...

Agreed, not just stylistic. I recall using a short lease-time interacting poorly with power saving on iOS, likely others. 30m seems like a good middle ground.

Hi Support,
in my experience those strange and random errors reported can be caused by uninitialized variables.
Once I see a similar problem with SNMP settings: a lot of errors in the log. Stopped when I enabled and re-disabled it!
N

Hi Support,
in my experience those strange and random errors reported can be caused by uninitialized variables.
Once I see a similar problem with SNMP settings: a lot of errors in the log. Stopped when I enabled and re-disabled it!
N

But what do you write and what does it have to do with it?

Another ChatBOT?

i am having issue with vpls mtu after upgrading from v6 to latest v7 (7.9beta4)
here is the detail
viewtopic.php?t=194895
And here the tickets number SUP-111902
thx

Welldone... 10m is too little time...

Agreed, not just stylistic. I recall using a short lease-time interacting poorly with power saving on iOS, likely others. 30m seems like a good middle ground.

What is the reason to have such short lease-times? Maybe it is useful in a guest wifi in a restaurant or similar, but in "normal" networks I set the lease time to 1d or 7d.

[...] 30m seems like a good middle ground. [...]

What is the reason to have such short lease-times? Maybe it is useful in a guest wifi in a restaurant or similar, but in "normal" networks I set the lease time to 1d or 7d.

Fair question. Wondered myself why 10m for long time. A shorter time does allow the dhcp leases to function as a pseudo "active user list". But I figured something in hotspot/paywall might need it for time-of-day/etc control, but dunno. Additionally, short lease-time does catch a "dumb user" case where someone forgot to reconnect/renew after router IP config changes – those changes will "magically" start working on average 5m (or now average 15m) — short than time to make a support case about it.

Agreed, not just stylistic. I recall using a short lease-time interacting poorly with power saving on iOS, likely others. 30m seems like a good middle ground.

What is the reason to have such short lease-times? Maybe it is useful in a guest wifi in a restaurant or similar, but in "normal" networks I set the lease time to 1d or 7d.

I guess you could flip the question around and ask yourself whats the advantage to having a longer lease time? Is there any actual overhead for a shorter lease time of 1day? Is there any effieciency savings for increasing lease time beyond 10 mins?

I know having shorter lease times has an administrative advantage when making static leases. 5 min wait is reasonable. Anything longer becomes a nuisance.

What is the reason to have such short lease-times? Maybe it is useful in a guest wifi in a restaurant or similar, but in "normal" networks I set the lease time to 1d or 7d.

I guess you could flip the question around and ask yourself whats the advantage to having a longer lease time? Is there any actual overhead for a shorter lease time of 1day? Is there any effieciency savings for increasing lease time beyond 10 mins?

I know having shorter lease times has an administrative advantage when making static leases. 5 min wait is reasonable. Anything longer becomes a nuisance.

I think it depends on the use case. For my customer equipment, sometimes shorter leases messes up their router (it shouldn't, but the symptoms look like NAT connections are timing out too quickly or something). When you have hundreds or thousands of devices, setting a longer time spreads out the load on the network (traffic + server load).

In cases where your available pool is small and users are transient, like retail and other guest WiFi setups, a short lease (15-30 mins) frees up IP resources quickly.

With as many hAP's that I install as home routers, I do wish the default was more than 10 mins. 1-3 hours would be a good default. (I do override the 10 min. default in a script I load on at install time.)

Another angle to look at:
Shorter lease times will put additional wear and tear on the internal flash disk.
So higher leases are better in that case.

Lease time doesn't do anything to the flash disk. Leases are dynamic and are not stored in the config.

Thanks for the info and it does make sense.
Has that changed since I do recall config exports showing dynamic leases ?

Lease time doesn't do anything to the flash disk. Leases are dynamic and are not stored in the config.

They are not in the config, but they are stored on the "disk". Under DHCP config there is a setting "store leases on disk" that determines how often the dynamic leases are written from RAM to disk, so that is not directly related to the lease time. However, this setting can be set to "immediately" and in that case they are immediately written to disk.
Recently I was looking for a way to "mirror" such dynamic leases from one router to another, but I could not find any. One can query the dynamic leases e.g. via API or using commandline "print" command, but there is no way to "import" them as dynamic lease (i.e. not part of the config).

the pppoe scan is broken since 7.8 (not working in 7.8beta3 nor 7.8) and it is still not working on 7.9.beta4 (just checked).

sniffer shows that the PPPoE discovery packet is sent the offer from PPPoE server is being received but the pppoe-client scan shows nothing.

I think it depends on the use case.

Yes it depends. And most use cases and management practices are very different for most situations. So there are cases where long lease-time makes sense, to me.
Long lease time = stable (almost static) IP addresses. But problematic if you want to change DHCP parameters quickly, or when there are many devices passing by for a short time.

If you need quasi static IP addresses, or have trouble with lease renewals, a long lease time will help.
e.g.: Holiday tenants stay for 3 days till 2 weeks. But they are often off-site during daytime excursions.
They bring many devices each. etc etc etc (same wifi WPA2/EAP username)(no IP Hotspot)
The IP address lease stays reserved while they are off-site, and is released only when they are gone for a longer time.
(Queue limits work on IP addresses, not username. Didn't find the filter to make it work based on the wifi WPA2 username )

PS: It's a workaround. RSSO (Radius single signon) is a real solution. (See Fortinet, Watchguard, ....) Wifi identificaton/authentication used in user based firewall rules.)

They have to pick something as a default. 10m seems too short. But during setup I'd think short is better...especially since some users may not know what a lease time is. Those that do, easy to change.

OVPN on ROS 7.8 kernel crash and reboot didn't fix yet??

When we upgraded to version 1.10.3 it was the latest one. We can't upgrade and release on the same day. We need to test it too :)

So true, LARSA look at post #16 :-) My impatient vampire mouse. That is why I am not clamouring for the ZeroTrust Cloudlfare Tunnel options package (for all mt users) on every beta release as I know these things take time. ;-))

If I have that Zerotrust Cloudflare Tunnel in Docker, would I still need it native in ROS?
Docker runs now on my Synology NAS, Raspberry Pi, Odroid-N2, Windows 11 PC ... and on hAP ac³ (only not sure if that image would run on hAP ac³)
https://www.youtube.com/watch?v=ZvIdFs3M5ic

... and on hAP ac³ (only not sure if that image would run on hAP ac³)

Also on hAP ac2 with USB storage.

*) vrrp - added "self" value for "group-master" setting;

I don't know if this is due to this change...
VRRP interface is sending/receiving advertisement by using interface which is selected in its own "interface" parameter, regardless of "group-master" parameter is supplied.
The state changes caused by this behavior are cancelled by the group master immediately, thus causing a flurry of interface state changes.

moojp - please send us supout.rif file where this behavior can be observed.

I keep getting an "Invalid MTU 9192" on my CCR2004 port 15 when connecting to my ARRIS SVG2482AC cable modem (Xfinity Provider) when using the latest v7.9beta. I do not get this error when using v7.8.
I have completed a successful "NetInstall" just to rule out anything else.
Thoughts ??

My ticket re: SUP-111720 has been confirmed as a bug by support after sending them a supout, they will look into it.
Since my device already has a functioning config, there is no further problem for me. I already knew that.

*) ovpn - added support for OVPN server configuration export and client configuration import from .ovpn file;

Would this finally solve problem with client authentication via static key?

Just tested it... :( Going back to sleep, should I set a reminder for... 2025 I guess?

IKE issue SUP-111669, please reply!

+1 request to fix OpenVPN issue that leads to kernel failure.

IKE issue SUP-111669, please reply!

Can you give us details?

Thanks!

My ticket re: SUP-111720 has been confirmed as a bug by support after sending them a supout, they will look into it.
Since my device already has a functioning config, there is no further problem for me. I already knew that.

Can you give us details?

Thanks!

Search for the ticket number in this thread.
All details are there ;-)

It's about AX3 default config.

Sorry :(

Thanks!

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.

Is correct, 15 + 4,5 ~20dB...

RouterOS v7.9rc1 has been released
viewtopic.php?t=194993