Mikrotik

What's new in 7.19.2 (2025-Jun-20 10:55):

*) bfd - fixed socket leak;
*) bgp - fixed withdraw when input.accept-nlri is non-existent;
*) btest - properly close unsuccessful TCP test sockets;
*) console - added prompt to /disk/format command;
*) disk - do not allow to start Btrfs replace command when a Btrfs replace process is already running;
*) disk - improve disk file system detection;
*) hotspot - allow only "http:" and "https:" schemas in dst field;
*) iot - added LoRa interface recovery mechanism;
*) iot - LoRa stability improvement;
*) iot - LR8G/9G firmware update;
*) ip-service - fixed "print count-only interval" when dynamic entries are added (introduced in v7.19);
*) ip-service - fixed setting services by name (introduced in v7.19);
*) ipsec - fixed responder on key exchange compute failure (introduced in v7.19);
*) ipv6 - do not show IPv6 FastPath as active when connection tracking or IPsec is used;
*) l2tp-ether - fixed interface creation/removal process;
*) lte - added support for R11e-LTE6 v039 firmware release;
*) lte - do not dial further if modem detects eSIM without profiles;
*) lte - fixed eSIM management function for mmips and mipsbe architecture CPUs;
*) lte - fixed eSIM provisioning for servers that do not send content-length in the HTTP response;
*) route - fixed destination ordering for SNMP;
*) route - fixed SNMP probing of IPv6 routes;
*) route - make routing table print faster with hw-offload, gateway and blackhole queries;
*) switch - fixed ACL rules when ports are not specified (fixes dynamic rules for RoMON);
*) switch - fixed advertise and speed settings for ether1 on RB5009 (introduced in v7.19.1);
*) webfig - improved screen reader support for WiFi fields in Quickset;
*) webfig - make combobox accessible to screen readers;
*) webfig - more space to branding logo;
*) wifi-qcom - fixed beacon loss issues and improved stability for IPQ-6018;
*) wifi-qcom - improved regulatory compliance;
*) winbox - fixed "Last Topology Change" for bridge port monitor;

I'm shocked of the behavior of Mikrotik !

I take time here to expose what happen to me in order for others to know my story ( and therefore expose the mentality of this company ..)

I had a question about one of their product that I own.
So I created an account on their forum space

• fill the form
• "play" with the captcha
• wait the registration email
• confirm
• adjust settings in the user control panel

Took already some times, then I create my first post related to the question that I had.

after posting I got ~"Your post need to be approved before it's been published"

I'm not a fan of this method already, but I waited, next day when I login on their forum I got:

😵 WTF !

The username is exactly the same as I use here James_PTG Of course in my avatar we can read the expanded version:

"James Patageul" is a play of words because I sound the same as (in french) "J'aime pas ta gueule" Translate in "I don't like your face"

So first of all, on a scale of "outrageousness" let say this one got a low score..

Secondly, why a Permanent BAN[^1] !?? They could simply had removed the avatar and changed the name if they didn't appreciate it.. ( and still why they have to appreciate or not ? it's a forum ( public place ) ) ?

I'm baffled how they treat their customers...

So long Mikrotik..

[^1]:To send (someone) away and forbid them from returning.
he was banished from the kingdom for his crimes.

Hi,

Is it possible in a router to route traffic from one specific node ( here the laptop to the DVR) but not the other way around ( DVR to 192.168.10.0/28 ) ?

        192.168.10.1/28             
            ┌──────┐                
            │laptop│                
            └───┬──┘                
                │                   
                │                   
                │                   
                ▼                   
             ┌──────┐               
        ┌────┤router├──┐            
        │    └──────┘  │            
        │              │            
        ▼              ▼            
     ┌──────┐        ┌───┐          
     │server│        │DVR│          
     └──────┘        └───┘          
192.168.10.2/28      192.168.20.1/28
                             ──     

Meaning, I want to keep the DVR in it's subnet only. But allow the laptop to reach it.

Thanks.

Read our latest newsletter and learn more about:

- ATL 5G, MikroTik eSIM and Connectivity
- a new edition of hEX S with 2.5G SFP
- new LHG and LHG XL CPEs with Wi-Fi 6
- return of the oldschool TikTube
- New YouTube videos, a visitor from the past, and so much more!

https://mt.lv/news125

@mikrotik@lemmy.world

What's new in 7.19 (2025-May-22 10:53):

*) arm64 - fixed possible transmit queue timeout on CCR2216, CCR2116, RDS2216;
*) arp - added warning, when "Published" ARP entry used on an interface with "reply-only" ARP mode enabled;
*) bgp - added input.filter-community;
*) bgp - fixed excessive CPU usage;
*) bgp - fixed input.accept-community;
*) bgp - fixed memory leak on receiving notify and closing session;
*) bgp - improved performance on BGP input;
*) bonding - added setting for LACP active/passive modes;
*) bridge - added new STP monitoring fields for bridge and ports (Tx/Rx BPDU, Tx/Rx TC, forward/discard transitions, last topology change, message-age, max-age, remaining-hops, bridge-id);
*) bridge - fixed bridge port hang when using invalid port IDs;
*) bridge - fixed dhcp-snooping in QinQ setups;
*) bridge - fixed issue when local MACs were removed unnecessarily;
*) bridge - fixed minor memory leak on link down;
*) bridge - fixed multicast packet flow on hardware offloaded bridge which acts as "multicast-router";
*) bridge - improved default bridge and port layout on console and GUI;
*) bridge - improved stability in case of configuration error (introduced in v7.15);
*) bridge - moved "TCHANGE" logs from bridge,stp to bridge,stp,debug;
*) bridge - offload VXLAN only if another HW offloaded port exists in the bridge;
*) bridge - properly flush bridge hosts when bonding is used as bridge port and loses hw-offloading status;
*) bridge - rename "ports" to "interface" under MDB table for configuration consistency with other menus;
*) bridge - renamed STP monitor fields (port-number to port-id, designated-port-number to designated-port-id, designated-bridge to designated-bridge-id);
) bridge - show designated- monitor field for all port roles;
*) bridge - show warning instead of causing error when using multicast MAC as admin-mac (introduced in v7.17);
*) bth - properly specify "in-interface" when adding dynamic firewall NAT rule;
*) capsman - fixed "undo" command for cap interfaces;
*) certificate - added built-in root certificate authorities store;
*) certificate - do not include CA identity in SCEP POST requests;
*) certificate - fixed cloud-dns challenge validation for sn.mynetname.net (CLI only);
*) certificate - improve error message when trying to use certificate;
*) certificate - optimize trust store;
*) cloud - fixed issues when BTH is toggled fast between enable/disable;
*) cloud - improved "BTH Files" web page design;
*) conntrack - improved stability on busy systems;
*) console - added on-error to "for" and "foreach" loops;
*) console - added proplist to monitor command;
*) console - disallow incomplete double-quoted arguments (allows multiline string pasting);
*) console - do not treat return values as errors in scripts run from scheduler;
*) console - enabled verbose error logging for non-scripted/non-verbose imports;
*) console - fixed issue with file-name completion (introduced in v7.18);
*) console - fixed issue with files when using scripts (introduced in v7.18);
*) console - fixed misaligned multiline in brief print mode;
*) console - improve time value handling;
*) console - improved file add/remove process stability;
*) console - print large number argument values in proper format in export output;
*) console - set "/system/note show-at-login=yes" the default value after configuration reset;
*) console - validate script arguments (do, on-error, etc.) and reject invalid values;
*) container - allow changing container name;
*) container - fixed repository name handling to prevent redirect issues when basic authentication is used;
*) container - try to derive a user readable container name from remote image or file;
*) defconf - added DHCP Client on RDS2216 MGMT interface;
*) defconf - increased PPP interface wait time;
*) device-mode - added new "rose" mode where "container" feature is enabled by default;
*) dhcpv4 - improved outgoing packet logging;
*) dhcpv4-client/server - added support for DHCPv4 reconfigure messages;
*) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets;
*) dhcpv4-server - accept packets with htype 6;
*) dhcpv4/v6-client - added check-gateway parameter;
*) dhcpv4/v6-client - fixed default route when DHCP client interface is in VRF;
*) dhcpv6-client - allow selecting to which routing tables add default route;
*) dhcpv6-relay - clear saved routes on DHCP release;
*) dhcpv6-relay - show client address;
*) dhcpv6-server - allow unsetting prefix-pool for static bindings and show warning if prefix is not in selected prefix-pool;
*) dhcpv6-server - change bound status to waiting on binding disable;
*) dhcpv6-server - change static binding bound status to waiting on server disable;
*) dhcpv6-server - fix when expired static binding is declined with false "binding belongs to another server" reason;
*) dhcpv6-server - improved stability when disabled server have static bindings;
*) dhcpv6-server - improved stability when disabling server with active bindings;
*) disk - add "sector-size" property in print detail;
*) disk - add reset-counters to /disk btrfs filesystem;
*) disk - renamed "eject-drive" command to "eject" (CLI only);
*) disk - renamed "format-drive" command to "format" (CLI only);
*) dlna - improved folder indexing behavior;
*) dns - improved DNS server service stability;
*) dot1x - fixed dynamic switch ACL rules on boards with a lot of ports (e.g. CRS520);
*) ethernet - improved Ethernet and PoE port mapping to ensure a consistent and reliable interface order;
*) fetch - fixed false successful messages in FTP mode;
*) file - added show-hidden parameter to /file/print, allowing referencing and deleting hidden files;
*) file - fixed missing files from The Dude (introduced in v7.18);
*) file - improved responsiveness on slow filesystems;
*) firewall - always show "passthrough" when exporting mangle table;
*) firewall - detect VRF addresses as local;
*) firewall - fixed IP/Settings "ipv4-fasttrack-active" status showing as inactive when it is active;
*) health - hide settings in CLI if there is nothing to show;
*) health - improved performance on devices with simple voltage sensors;
*) hotspot - improvements to memory usage;
*) igmp-proxy - do not try to send leave message for multicast groups that the device itself has joined on the upstream interface (cosmetic fix for proxy error logs);
*) ike2 - improved initial key exchange process on slow or unreliable connections;
*) iot - improvement to LoRa dev-addr-validation behavior;
*) iot - improvement to LoRa join eui/net id filtering behavior;
*) iot - improvement to LoRa stability and functionality;
*) iot - improvement to LoRa whitelist/blacklist support;
*) iot - iot-bt-extra package stability improvement;
*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;
*) ippool6 - properly free IPv6 pool used prefix when it is not used any more;
*) ipsec - fixed system failure on MMIPS devices when using IPsec services;
*) ipsec - lower standalone cipher, hash priority when using ctr aead;
*) ipv6 - avoid watchdog reboot due to link-local IPv6 address reconfiguration on thousand of interfaces at once;
*) ipv6 - fixed EUI-64 false error message on address update when "from-pool" option is used;
*) isis - properly validate 3-way hello handshake;
*) l2tp-ether - improved stability when trying to connect to disabled L2TP server with IPsec;
*) l3hw - remove VLAN tag before VXLAN encapsulation (fixes pvid behavior for bridged VXLAN);
*) log - added additional CEF fields from firewall and login logs;
*) log - fixed remote logging after reboot when hostname is forwarded to a DNS server;
*) log - populate in/out fields in firewall CEF logs with correct data;
*) lte - added UICC parameter in LTE monitor for R11e-4G modem;
*) lte - additional fixes for eSIM management support;
*) lte - AT modems, improved redialing when modem lost connectivity without notifying host about APN status change;
*) lte - automatically enable roaming for known roaming only SIM/eSIM profiles;
*) lte - Chateau 5G R16 fix DHCP relay packet forwarding using LTE interface;
*) lte - deactivate current eSIM profile before activating new profile;
*) lte - fixed default APN for configless modems;
*) lte - fixed EC200A-EU APN authentication;
*) lte - fixed initialization for Neoway N75 modem;
*) lte - fixed initialization for R11e-LTE6 modem;
*) lte - fixed LTE passthrough activation issue when IPv6 APN is used;
*) lte - fixed LTE status update or possible crash when modem is unexpectedly removed from system;
*) lte - fixed MBIM modem recovery after modem unexpected restart;
*) lte - fixed modem recovery after firmware upgrade for R11e-LTE modem;
*) lte - fixed possible crash or missing IPv6 address on first APN activation when IPv6 capable APN is used;
*) lte - fixed Router Advertisement processing issue for AT modems when an APN with "ip-type=ipv6" was configured;
*) lte - improved dialer for EC200A-EU modem;
*) lte - improved R11e-LTE6 link recovery delay time after unexpected modem registration status changes;
*) lte - initial support for user settable modem redial timer;
*) lte - initialize Quectel modems as soon as they are ready after unexpected restart;
*) lte - reset internal link-recovery-timer on sim slot change;
*) lte - set apn profile name the same as apn if no name specified when creating the profile;
*) lte - show correct value for 5G SA "current-cellid";
*) net - remove support for automatic multicast tunneling (AMT) interface (introduced in v7.18);
*) netinstall - improved network socket re-opening when NIC status changes while running the server;
*) netinstall - provide warning if memory on installed router is full after installation;
*) netinstall - show warning when network configuration on PC might not be appropriate for installation;
*) netinstall-cli - check for other running Netinstall servers on startup;
*) netinstall-cli - clear old configuration before user script using "-s";
*) netinstall-cli - fixed issue with applying the branding package;
*) ospf - fixed "mismatch" typo in logs;
*) ospf - make auth-key parameter sensitive;
*) ovpn - properly match GCM hardware acceleration capabilities (introduced in v7.17);
*) ovpn-server - do not reset active connections when changing comment or name;
*) ovpn-server - fixed server start-up after a reboot;
*) ovpn-server - properly show "username" in log when authentication fails;
*) pimsm - fixed issue where own query caused querier detection;
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - added support for Huawei E3372-325 variant (vendor-id="0x3566" device-id="0x2001");
*) port - added USB mode switch support for "huawei-alt-mode";
*) port - fixed KNOT BG77 modem port lost after RouterOS upgrade from previous versions;
*) port - improvements to KNOT BG77 modem port channel handling;
*) ppc - fixed VLAN TCP packet transmit on PPC devices;
*) profiler - improved process classification;
*) ptp - added "ptp" logging topic;
*) ptp - allow multiple instances;
*) ptp - fixed PTP on 2.5G links;
*) ptp - fixed PTP on QSFP ports for CRS326, CRS510, CRS520, CCR2216 devices;
*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);
*) queue - speed-up queue addition/removal process;
*) quickset - improved system stability;
*) rose-storage - added Btrfs disk balance command (CLI only);
*) rose-storage - added degraded Btrfs mount option (CLI only);
*) rose-storage - fixed mounting Btrfs subvolumes using macOS SMB client;
*) rose-storage - fixes for Btrfs;
*) rose-storage - improved system stability when removing NVMe disks;
*) rose-storage - rename default RAID device name from "raid" to "raid-array";
*) rose-storage - show Btrfs balance and scrub errors if any;
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;
*) route - fixed stuck output when calling prints from multiple routing menus;
*) route - fixed route rule "min-prefix" unset;
*) route - improve stability on BGP reconnect;
*) route - make AFI naming consistent;
*) route - show "routing-table" by default on console print output;
*) route - show BGP session name instead of cache-id;
*) route-filter - fixed the "blackhole" option setting process;
*) route-filter - improved performance;
*) sfp - added sfp-encoding data output from EEPROM;
*) sfp - improved QSFP link stability for CRS354 devices;
*) sniffer - add max-packet-size (2k-64k) setting to be able to sniffer more than 2k data per packet;
*) snmp - fixed v2 getnext noSuchName error when OID with requested key does not exist;
*) ssh - fixed authorization with SSH key when multiple user SSH public keys are imported;
*) ssl/tls - respond with more precise alert error messages;
*) ssl/tls - send certificate authority in Certificate message even if it is not trusted;
*) switch - do not count rx-too-long multiple times on 100Gbps QSFP28;
*) switch - fixed egress mirroring for packets coming from external CPU port (e.g. CRS520, CCR2216, CCR2116);
*) switch - fixed switch name for hEX Refresh;
*) switch - flush CPU port FDB entries on switch disable;
*) switch - improve rate limit accuracy for MT7531, MT7621, EN7562CT;
*) switch - improved boot stability on devices with Alpine CPU and switch chip;
*) switch - improved stability when enabling IGMP snooping with VXLAN (introduced in v7.18);
*) switch - properly match IPv6 packets with empty ACL rule on CRS3xx, CRS5xx, CCR2004, CCR2116, CCR2216, RDS devices;
*) system - fixed "/system reboot" when the system disk is completely full;
*) system - improved internal "flash/" prefix handling for different file path related settings;
*) system - improved system stability when sending TCP data from the router;
*) system – added new "switch-marvell" and "wifi-mediatek" packages to support upcoming products;
*) timezone - updated timezone information from "tzdata2025b" release;
*) torch - improved data reporting;
*) upgrade - improved free disk space calculation;
*) upgrade - improved upgrade procedure reliability;
*) vrrp - fixed detection of connection tracking after reboot (introduced in v7.17);
*) vxlan -improved system stability when using IPv6 VTEP;
*) webfig - allow table column resize over side toolbar;
*) webfig - don't reorder rows when selecting header cells with Alt+click;
*) webfig - show IPv6 firewall connections;
*) webfig - show missing data in "IP/DNS/Cache" records;
*) wifi - add channel.reselect-time parameter which allows to perform channel re-selection at given time of day (CLI only);
*) wifi - add information on CAP uptime and connection uptime in "Remote CAP" list;
*) wifi - added "eap-identity" to registration table;
*) wifi - added SSID to logs;
*) wifi - display error when trying to run snooper on interface which does not support wireless packet capture (sniffer);
*) wifi - fix authentication of clients which omit some RSN information at association;
*) wifi - fix incorrect info about current channel for station interfaces after AP has switched channel (introduced in v7.17);
*) wifi - fix possible snooper crash when parsing frames with malformed headers;
*) wifi - fixed 5GHz chain enumeration on Chateau PRO ax;
*) wifi - implement WPA2 PSK authentication with key derivation using SHA256 (CLI only);
*) wifi - improve parsing of captured frames which have nested flags in radiotap header;
*) wifi - improved stability for wifi interfaces;
*) wifi - improved stability when doing SNMP query;
*) wifi - improved wifi connection stability when used as a station for "b" mode access point;
*) wifi - re-word log entries about disconnections which are likely caused by peer using a wrong passphrase;
*) wifi - use at least TLS 1.2 for securing connection between CAPsMAN manager and CAPs;
*) wifi-qcom - fix inability of interfaces in station mode to connect if they do not support full bandwidth of AP;
*) wifi-qcom - fix OWE authentication for 802.11ac interfaces in station mode;
*) winbox - added "MAC Telnet" under "Wifi/Registration" menu;
*) winbox - added "Multi Passphrase Group" for wifi;
*) winbox - added "Reset MAC address" for legacy wireless and wifi;
*) winbox - added comment fields for WiFi "Multi Passphrase Group" menu;
*) winbox - added comment under "User Manager/Routers" menu;
*) winbox - added country to wireless setup-repeater;
*) winbox - added missing "Switch" menu for RDS;
*) winbox - added missing file systems for disk formatting;
*) winbox - added missing parameters for BTRFS related action functions;
*) winbox - added mount-point parameter under "Disk/Settings" menu;
*) winbox - added netmask support for switch rule Src/Dst IPv6 Address settings;
*) winbox - allow opening BTRFS menu entries;
*) winbox - changed default wireless wds-cost-range values;
*) winbox - do not show not relevant values for certificate template;
*) winbox - fixed "Multi Passphrase Group" setting for wifi;
*) winbox - fixed "registry-url" field under "Containers" configuration menu;
*) winbox - fixed missing SMB client on non-ROSE devices;
*) winbox - fixed several statistics counters not being read only;
*) winbox - fixed switch menu for Chateau 5G;
*) winbox - fixed time interval type fields precision under "Disks" menu;
*) winbox - hide container File/Remote Image fields only when instance added;
*) winbox - improve graphing efficiency when communicating with WinBox;
*) winbox - make BTRFS "Parent" and "Send Parent" options optional;
*) winbox - properly show/hide OSPF, RIP and BGP tabs for IPv6 routes;
*) winbox - renamed "raid-member" to "raid member" flag for consistency;
*) winbox - show eSIM profiles under eSIM menu without manual refresh;
*) wireguard - add wg-import config-string parameter to import config directly from terminal;
*) wireguard - update peer info on "get" command;
*) wireless - added "eap-identity" to registration table;
*) wireless - implement handling of RADIUS disconnect messages by CAPsMAN;
*) wireless - suggest all legitimate frequencies for interfaces with 20/40mhz-XX channel width in GUI;
*) x86 - added support for Emulex NIC;
*) x86 - i40e updated driver to 2.27.8 version;
*) x86 - remove unnecessary console output on shutdown;

Hello, I have a RB3011UIAS-RM as my router at home connected to a Starlink router in Bridge mode. We are getting FTTP soon (goodbye Elon Musk!) and the expected speed will be 2.5Gbps. In the UK the ISP's primarily provide Ethernet to the home owner rather than PON. I am no expert when it comes to network although I make things work (VLAN's, ubiquiti AP's Integration, pihole as dns running on docker on a different device). My question is, can I benefit from this speed at all using my router? In my ignorance, I am thinking of link aggregation from ISP router to my MK router or a capable 2.5Gbps switch between the two routers and all LAN cables connected to said switch. Or is upgrading the router the only option? If so, would a RB4011 be the right choice? Can you, educated people, shed some light on this, please?

Currently in early test phase, it's hosted on a 100% MikroTik system, the service runs on a RDS and the storage is a RDS minio cluster. If it all works out, we will migrate older videos too.

You might’ve noticed the EU and Latvian flags in our recent brochures. Over 50% of our products are already made in the EU — and that number’s growing.

We’re bringing production closer to home to ensure quality, supply chain security, and transparency.

It’s not just a label. It’s a promise. 🇱🇻🇪🇺

#buyFromEU @mikrotik@lemmy.world

What is Quality of Service? What it is its purpose? But more importantly how can you configure it in RouterOS? In this video we go over all the possible ways you could deliver the Quality of Service your network users are looking for. @mikrotik@lemmy.world

https://www.youtube.com/watch?v=7Ak0856Q490

I mean the wAP ax is cheaper and offers faster wifi, plus it's waterproof so you can use it outdoors. One advantage of the cAP ax is a faster cpu and more RAM, but if you need a complex firewall or VPN, a dedicated server makes more sense I guess.

Tbf the cAP has two Ethernets and PoE out so you can Daisy chain them. But is that all or am I missing something?

I recently got fiber internet and wanted to bypass all ISP equipment with the was110. Since I needed a router with SFP (I've had an Edgerouter-X for years) I decided to go switch to Mikrotik.

The l009 is such a nice router! I ended up pairing it with a cheap no-name multi gigabit managed switch (4x 2.5gb rj45 and 2x sfp+ for high speed transfers to my NAS) and a Mikrotik wAP AX for wifi, which is powered through the passive PoE on the l009.

I've been playing with LACP bonding, VLANs, firewalling and IPv6 and there is so much to it. It is such a great way to learn.

Mikrotik is a pretty cool company too. Fair prices, based the EU, have a fediverse presence (shout out @mikrotik@mikrotik.social) and support old hardware pretty much forever.

Granted, their equipment has a quite high learning curve. But if you have the time and patience, it is really rewarding.

Wow, fediverse mentioned!

Screenshot from the video:

I can't see pricing yet.

What's new in 7.18 (2025-Feb-24 10:47):

*) 60ghz - improved system stability;
*) bgp - fixed certain affinity options not working properly;
*) bgp - improved system stability when printing BGP advertisements;
*) bgp - make NO_ADVERTISE, NO_EXPORT, NO_PEER communities work;
*) bond - added transmit hash policies for encapsulated traffic;
*) bridge - added MLAG heartbeat property;
*) bridge - avoid duplicate VLAN entries with dynamic wifi VLANs;
*) bridge - do not reset MLAG peer port on heartbeat timeout (log warning instead);
*) bridge - fixed endless MAC update loop (introduced in v7.17);
*) bridge - fixed missing S flag on interface configuration changes;
*) bridge - improved stability when using MLAG with MSTP (introduced in v7.17);
*) bridge - improvements to MLAG host table updates;
*) bridge - process more DHCP message types (decline, NAK, inform);
*) bridge - removed controller-bridge (CB) and port-extender (PE) support;
*) bridge - show VXLAN remote-ip in host table;
*) btest - allow limiting access to server by IP address;
*) certificate - fixed localized text conversion to UTF-8 on certificate creation;
*) chr - fixed limited upgrades for expired instances;
*) chr/x86 - added network driver for Huawei SP570/580 NIC;
*) chr/x86 - fixed error message on bootup;
*) chr/x86 - fixed GRE issues with ice network driver;
*) chr/x86 - Realtek r8169 updated driver;
*) cloud - added "Back To Home Files" feature;
*) cloud,bth - use in-interface matcher for masquerade rule;
*) console - added dsv.remap to :serialize command to unpack array of maps from print as-value;
*) console - added file-name parameter to :serialize;
*) console - allow ISO timezone format in :totime command;
*) console - allow tab as dsv delimiter;
*) console - allow to toggle script error logging with "/console settings log-script-errors";
*) console - do not autocomplete arguments when match is both exact and ambiguous;
*) console - do not show numbering in print follow;
*) console - fixed "get" and "proplist" for certain settings;
*) console - fixed issue where ping command displays two lines at the same time;
*) console - fixed issue with disappearing global variable;
*) console - implement scriptable safe-mode commands and safe-mode handler;
*) console - improved hints;
*) console - log errors within scripts to the system log;
*) console - make non-pseudo terminals work with imports;
*) console - put !empty sentence when API query returns nothing;
*) console - renamed "back-to-home-users" to "back-to-home-user";
*) container - add default registry-url=https://lscr.io/;
*) container - allow HTTP redirects when accessing container registry;
*) container - allow specifying registry using remote-image property;
*) container - improved image arch choice;
*) container - use parent directory of container root-dir for unpack by default, so that container layer files are downloaded directly on target disk;
*) defconf - added IPv6 FastTrack configuration;
*) device-mode - do not allow changing CPU frequency if "routerboard" is not allowed by device mode (introduced in v7.17);
*) device-mode - fixed feature and mode update via power-reset on PPC devices;
*) dhcpv4-client - allow selecting to which routing tables add default route;
*) dhcpv4-client - fixed default option export output;
*) dhcpv4-server - fixed "active-mac-address" update when client has changed MAC address;
*) dhcpv4-server - fixed framed-route removal;
*) dhcpv4-server - fixed lease assigning when server address is not bind to server interface (introduced in v7.17);
*) dhcpv6-client - added "validate-server-duid" option;
*) dhcpv6-client - allow specifying custom DUID;
*) dhcpv6-client - do not run script on prefix renewal;
*) dhcpv6-relay - added option to create routes for bindings passing through relay;
*) dhcpv6-server - respond to client in case of RADIUS reject;
*) discovery - advertise IPv6 capabilities based on "Disable IPv6" global setting;
*) discovery - improved stability during configuration changes;
*) discovery - report actual PSE power-pair with LLDP;
*) discovery - use power-via-mdi-short LLDP TLV only on pse-type1 802.3af;
*) disk - add disk trim command (/disk format-drive diskx file-system=trim);
*) disk - allow to add swap space without container package;
*) disk - allow to set only type=raid devices as raid-master;
*) disk - cleanup raid members mountpoint, improve default name of file base block-device;
*) disk - do not allow adding device in raid when major settings mismatch in superblock and config;
*) disk - do not allow configuring empty slot as raid member;
*) disk - fix detecting disks on virtual machines;
*) disk - fixed removing device from raid while resyncing;
*) disk - fixed setting up dependent devices when file-based block-device becomes available;
*) disk - fixed showing free space on tmpfs (introduced in v7.17);
*) disk - improved stability;
*) disk - improved system stability when SMB interface list is used (introduced in v7.17);
*) disk - mount multi-device btrfs filesystems more reliably at startup;
*) disk - set non-empty fs label when formatting by default;
*) dns - do not show warning messages for DNS static entries when they are not needed;
*) ethernet - fixed issue with default-names for RB4011, RB1100Dx4, RB800 devices;
*) ethernet - fixed link-down on startup for ARM64 devices (introduced in v7.16);
*) ethernet - improved link speed reporting on 2.5G-baseT and 10Gbase-T ports;
*) fetch - added "http-max-redirect-count" parameter, allows to follow redirects;
*) fetch - do not require "content-length" or "transfer-encoding" for HTTP;
*) file - added "recursive" and "relative" parameters to "/file/print" for use in conjunction with "path" parameter;
*) file - allow printing specific directories via path parameter;
*) file - improved handling of filesystems with many files;
*) firewall - allow in-interface/in-bridge-port/in-bridge matching in postrouting chains;
*) firewall - fixed incorrectly inverted hotspot value configuration;
*) firewall - increased maximum connection tracking entry count based on device total RAM size;
*) hotspot - fixed an issue where extra "flash/" is added to html-directory for devices with flash folders (introduced in v7.17);
*) igmp-proxy - fixed multicast routing after upstream interface flaps (introduced in v7.17);
*) iot - added new "iot-bt-extra" package for ARM, ARM64 which enables use of USB Bluetooth adapters (LE 4.0+);
*) iot - improvements to LoRa logging and stability;
*) iot - limited MQTT payload size to 32 KB;
*) ip - added support for /31 address;
*) ippool - added pool usage statistics;
*) ipsec - added hardware acceleration support for hEX refresh;
*) ipsec - fixed chacha20 poly1305 proposal;
*) ipsec - fixed installed SAs update process when SAs are removed;
*) ipv6 - added ability to disable dynamic IPv6 LL address generation on non-VPN interfaces;
*) ipv6 - added FastTrack support;
*) ipv6 - added routing FastPath support (enabled by default);
*) ipv6 - added support for neighbor removal and static entries;
*) ipv6 - fixed configuration loss due to conflicting settings after upgrade (introduced in v7.17);
*) l2tp - added IPv6 FastPath support;
*) l3hw - added initial HW offloading for VXLAN on compatible switches;
*) l3hw - added neigh-dump-retries property;
*) l3hw - fixed /32 (IPv6 /128) route offloading when using interface as gateway;
*) l3hw - fixed partial route offloading for 98DX224S, 98DX226S, 98DX3236 switches;
*) l3hw - respect interface specifier (%) when matching a gateway;
*) log - added CEF format support for remote logging;
*) log - added option to select TCP or UDP for remote logging;
*) lte - added at-chat support for EC21EU;
*) lte - added basic support for Quectel RG255C-GL modem in "at+qcfg="usbnet",0" USB composition;
*) lte - added confirmation-code parameter for eSIM provisioning;
*) lte - added initial eSIM management support;
*) lte - fixed cases where the MBIM dialer could get stuck;
*) lte - fixed Huawei ME909s-120 support;
*) lte - fixed interface recovery in mixed multiapn setup for MBIM modems;
*) lte - fixed missing 5G info for "/interface lte print" command;
*) lte - fixed missing IPv6 prefix advertisement on renamed LTE interfaces;
*) lte - fixed prolonged reboots on Chateau 5G ax;
*) lte - fixed SIM slot initialization with multi-APN setups;
*) lte - improved automatic link recovery and modem redial functions;
*) lte - improved initialization for external USB modems;
*) lte - lte monitor, show CQI when modem reports it as 0 - undetectable, no RX/down-link resource block assigned to modem by provider;
*) lte - R11eL-EC200A-EU fixed online firmware upgrade and added support for firmware update from local file;
*) lte - R11eL-EC200A-EU improved failed connection handling and recovery;
*) lte - reduce modem initialization time for R11e-LTE-US;
*) lte - reduced SIM slot switchover time for modems with AT control channel (except R11e-LTE);
*) lte - removed nonexistent CQI reading for EC200A-EU modem;
*) net - added initial support for automatic multicast tunneling (AMT) interface;
*) netinstall - try to re-create socket if link status changes;
*) netinstall-cli - fixed DHCP magic cookie;
*) ospf - fixed DN bit not being set;
*) ospfv3 - fixed ignored metric for intra-area routes;
*) ovpn - added requirement for server name when exporting configuration;
*) ovpn - disable hardware accelerator for GCM on Alpine CPUs (introduced in v7.17);
*) ovpn-client - added 1000 character limit for password;
*) pimsm - fixed incorrect neighbor entry when using lo interface;
*) poe-out - added "power-pair" info to poe-out monitor (CLI only);
*) poe-out - added console hints;
*) poe-out - added new modes "forced-on-a" and "forced-on-bt" (CLI only);
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - improved handling of USB device plug/unplug events;
*) ppc - fixed HW encryption (introduced in v7.17);
*) ppp - add support for configuration of upload/download queue types in profile;
*) ppp - added support for random UDP source ports;
*) ppp - fixed setting loss when adding new ppp-client interface for BG77 modem from CLI;
*) ppp - properly cleanup failed inactive sessions on pppoe-server;
*) ptp - do not send packets on STP blocked ports;
*) ptp - improved system stability;
*) qos-hw - fixed global buffer limits for 98CX8410 switch;
*) queue - improved system stability when many simple queues are added (introduced in v7.17);
*) queue - improved system stability;
*) queue - prevent CAKE bandwidth config from potentially causing lost connectivity to a device;
*) resolver - fixed static FQDN resolving (introduced in v7.17);
*) rip - fixed visibility of added key-chains in interface-template;
*) rose-storage - add btrfs filesystem add-device/remove-device/replace-device/replace-cancel commands to add/remove/replace disks to/from a live filesystem;
*) rose-storage - add btrfs filesystem balance-start/cancel commands;
*) rose-storage - add btrfs filesystem scrub-start, scrub-cancel commands (CLI only);
*) rose-storage - add btrfs transfers, supports send/receive into/from file for transferring subvolumes across btrfs filesystems;
*) rose-storage - add support to add/remove btrfs subvolumes/snapshots;
*) rose-storage - added support for advanced btrfs features: multi-disk support, subvolumes, snapshots, subvolume send/receive, data/metadata profiles, compression, etc;
*) rose-storage - allow to separately mount any btrfs subvolumes;
*) rose-storage - fixes for btrfs server;
*) rose-storage - update rsync to 3.4.1;
*) rose-storage,ssh - support btrfs send/receive over ssh;
*) route - added /ip/route/check tool;
*) route - added subnet length validation on route add;
*) route - do not use disabled addresses when selecting routing id;
*) route - fixed busy loops (route lockups);
*) route - fixed incorrect H flag usage;
*) route - improved stability when polling static routes via SNMP;
*) route - properly resolve imported BGP VPN routes;
*) routerboot - disable packet switching during etherboot for hEX refresh ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 ("/system routerboard upgrade" required);
*) routing-filter - improved stability when using large address lists (>5000);
*) routing-filter - improved usage of quotes in filter rules;
*) sfp - fixed missing "1G-baseX" supported rate for NetMetal ac2 and hEX S devices;
*) sfp - improved linking with certain QSFP modules on CRS354 devices;
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) sfp,qsfp - improved initialization and linking;
*) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17);
*) smb - fixes for SMB server;
*) smb - improved system stability;
*) snmp - added "mtxrAlarmSocketStatus" OID to MIKROTIK-MIB;
*) snmp - added disk serial number through description field;
*) snmp - sort disk list and assign correct disk types;
*) ssh - improved channel resumption after rekey and eof handling;
*) supout - added IPv6 settings section;
*) supout - added per CPU load information;
*) switch - allow entering IPv6 netmask for switch rules (CLI only);
*) switch - fixed dynamic switch rules created by dot1x server (introduced in v7.17);
*) switch - fixed issues with inactive hardware-offloaded bond ports;
*) switch - improved egress-rate on QSFP28 ports;
*) switch - improved system stability for CRS304 switch;
*) switch - improvements to certain switch operations (port disable, shaper and switch initialization);
*) system - added option to list and install available packages (after using "check-for-updates");
*) system - do not allow to install multiple wireless driver packages at the same time;
*) system - do not cause unnecessary sector writes on check-for-updates;
*) system - enable "ipv6" package on RouterOS v6 downgrade if IPv6 is enabled;
*) system - fixed a potential memory leak that occurred when resetting states after an error;
*) system - force time to be at least at package build time minus 1d;
*) system - improved HTTPS speed;
*) system - improved stability on busy systems;
*) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition);
*) tile - improved system stability;
*) traceroute - added "too many hops" error when max-hops are reached;
*) traceroute - limit max-hops maximum value to 255;
*) user - improved authentication procedure when RADIUS is not used;
*) vxlan - added disable option for VTEPs;
*) vxlan - added IPv6 FastPath support;
*) vxlan - added option to dynamically bridge interface and port settings (hw, pvid);
*) vxlan - added TTL property;
*) vxlan - changed default port to 4789;
*) vxlan - fixed unset for "group" and "interface" properties;
*) vxlan - replaced the "inherit" with "auto" option for dont-fragment property (new default);
*) webfig - added confirmation when quitting in Safe Mode;
*) webfig - do not reload form when failed to create new object;
*) webfig - fixed "TCP Flags" property when inverted flags are set in console;
*) webfig - fixed datetime setting under certain menus;
*) webfig - fixed displaying passwords;
*) webfig - fixed Switch/Ports menu not showing correctly;
*) webfig - hide certificate information in IP Services menu when not applicable;
*) webfig - remember expand/fold state;
*) wifi - added max-clients parameter;
*) wifi - avoid excessive re-transmission of SA Query action frames;
*) wifi - fix issue which made it possible for multiple concurrent WPA3 authentications to interfere with each other;
*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band;
*) wifi - log a warning when a client requests power save mode during association as this may prevent successful connection establishment;
*) wifi - re-word the "can't find PMKSA" log message to "no cached PMK";
*) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters;
*) wifi-qcom - fix reporting of radio minimum antenna gain for hAP ax^2;
*) wifi-qcom - prevent AP from transmitting broadcast data unencrypted during authentication of first client;
*) winbox - added "Copy to Provisioning" button under "WiFi/Radios" menu;
*) winbox - added "Last Logged In/Out" and "Times Matched" properties under "WiFi/Access List" menu;
*) winbox - added "Reset Alert" button under "IP/DHCP Server/Alerts" menu;
*) winbox - added L3HW Advanced and Monitor;
*) winbox - added missing options under "System/Disk" menu;
*) winbox - added TCP settings under "Tools/Traffic Generator/Packet Templates" menu;
*) winbox - do not show 0 Tx/Rx rate under "WiFi/Registration" menu when values are not known;
*) winbox - do not show LTE "Antenna Scan" button on devices that do not support it;
*) winbox - fixed locked input fields when creating new certificate template;
*) winbox - show LTE "CA Band" field only when CA info is available;
*) winbox - show warning messages for static DNS entries;
*) x86 - fixed "unsupported speed" warning;

Well I couldn't find this on the internet anywhere-

I was having issues setting up active-backup bonding on my Mikrotik router via this guide.

Whenever I turned on both interfaces, I experienced packet loss.

The solution was to TURN OFF hardware offloading. It doesn't work with active-backup. The docs even say it doesn't work with hardware offloading, but it failed in a way that was hard for me to debug.

So yeah! Now works great, router <-> unmanaged switch with bond bridged.

What's new in 7.17 (2025-Jan-16 10:19):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled;
!) webfig - redesigned HTML, styling and functionality;
*) 6to4 - fixed issue where 6to4 relay would not forward traffic unless destination address is set;
*) adlist - improved logging;
*) adlist - improved system stability;
*) adlist - optimized import on system with low disk space;
*) api - fixed REST API serialization of binary data;
*) arm64 - fixed for bare-metal servers to be able to access more than 2GB RAM;
*) arm64 - show CPU frequency on bare-metal installations;
*) arm64/x86 - added missing PCI id for mlx4 driver;
*) bonding - hide mlag-id property on non-compatible devices;
*) bridge - add HW offload support for active-backup bonds on 98DXxxxx, 88E6393X, 88E6191X and88E6190 switches;
*) bridge - added interface-list support for VLANs;
*) bridge - added message for inactive port reason;
*) bridge - added priority setting to manually elect primary MLAG peer;
*) bridge - correctly display PPP interfaces in VLAN menu;
*) bridge - disallow duplicate static VLAN entries;
*) bridge - disallow multicast MAC address as admin-mac;
*) bridge - enable faster HW offloading when detect-internet is disabled;
*) bridge - fixed first host table response for SNMP;
*) bridge - fixed incorrect HW offloaded port state in certain cases on MSTI add;
*) bridge - fixed missing slave flag on port in certain cases;
*) bridge - fixed MVRP registrar and applicant port options;
*) bridge - fixed port monitor with interface-lists;
*) bridge - fixed port move command;
*) bridge - fixed setting bridge MTU to L2MTU value;
*) bridge - fixed VLAN overlap check;
*) bridge - ignore disabled interfaces when calculating bridge L2MTU;
*) bridge - improved port handling;
*) bridge - improved stability;
*) bridge - prioritize MAC selection from Ethernet interfaces when using auto-mac feature;
*) bridge - re-synchronize MLAG system-id when bridge MAC changes;
*) bridge - removed support for master port config conversion (used before version 6.41);
*) bridge - update dynamic MSTI priority value when changing configuration;
*) bth - improved stability on system time change;
*) certificate - do not download CRL if there is not enough free RAM;
*) certificate - do not show not relevant values for certificate template (CLI only);
*) certificate - fixed handling of capsman-cap certificates (introduced in v7.16);
*) certificate - removed unstructured address field support;
*) chr - added Chelsio VF driver for PCIID 5803;
*) chr/arm64 - fixed kernel crypto use without crypto extensions for RPi CM4;
*) cloud - changed ddns-enabled setting from "no" to "auto" (service is enabled when BTH is enabled);
*) cloud - improved DDNS and VPN state stability;
*) console - added :range command;
*) console - added group-by property for print command;
*) console - added json.no-string-conversion to :serialize;
*) console - added lf/crlf options to :convert transform;
*) console - added more argument definitions for mac-protocol property;
*) console - added password property to "/system/ssh-exec" command;
*) console - added to/from=num option for :convert command;
*) console - allow clearing history for a specific user;
*) console - allow setting width to supout.rif output;
*) console - clear history when removing user;
*) console - disallow autocomplete hints for user without read policy;
*) console - execute :return command without error;
*) console - fixed endless loop when closing input prompt;
*) console - fixed missing arguments in wifi menu in certain cases;
*) console - force print paging when output does not fit terminal width;
*) console - improved printing output in some menus;
*) console - improved scripting system stability;
*) console - increased w60g scan-list size to 6;
*) console - print warning in CLI after enabling protected bootloader;
*) console - removed "chain" names from print parameter list and show all print parameters in "/ipv6/firewall/filter" directory;
*) console - show system-id in export for CHR;
*) console - updated copyright notice;
*) container - allow import from .tar.gz file;
*) container - do not log start, end events unless logging is enabled;
*) container - fixed user and group ID range;
*) container - improved "start-on-boot" stability;
*) container - improved container shell;
*) crypto - improve crypto speeds;
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) defconf - changed wireless installation from "indoor" to "any";
*) defconf - disable 5GHz secondary channel on RB4011;
*) defconf - do not add default password for CAP mode configuration on older Audience devices without a password;
*) defconf - fixed new port name recognition;
*) detnet - remove dynamic DHCP client creation;
*) device-mode - added "allowed-versions" list which are allowed to be installed without "install-any-version" mode enabled;
*) device-mode - added "basic" mode;
*) device-mode - added routerboard, install-any-version and partitions features;
*) device-mode - allow feature and mode update on x86 via power button and reboot/shutdown from AWS;
*) device-mode - fixed feature and mode update on ARM64 Hetzner;
*) device-mode - fixed feature and mode update via power-reset on MIPSBE devices;
*) device-mode - limit "/tool/ping-speed" and "/tool/flood-ping" under "traffic-gen" feature;
*) device-mode - limit device-mode update maximum allowed attempt count which can be reset only with reboot or button press;
*) device-mode - provide more precise device-mode update action printout;
*) device-mode - show all features and active restrictions with "print" command;
*) dhcp-relay - added "local-address-as-src-ip" property;
*) dhcp-server - use interface ID for NAS-Port and added interface name to NAS-Port-ID attribute in RADIUS requests;
*) dhcp-server - use single RADIUS accounting session for IPv4 and IPv6 when dual stack is used;
*) dhcpv4-client - correctly handle adding/setting emtpy dhcp-options;
*) dhcpv4-client - fixed crash when releasing disabled DHCP client;
*) dhcpv4-client - respect Renewal-Time (58) and Rebinding-Time (59) options;
*) dhcpv4-server - do not remove options set config when DHCP network is changed;
*) dhcpv4-server - properly detect DHCP server address when underlying interface has multiple IP addresses configured;
*) dhcpv4-server/relay - added additional error messages for DHCP servers and relays;
*) dhcpv4/v6-server - added address-list parameter to which address will be added if the lease is bound;
*) dhcpv6-client - added prefix-address-list parameter;
*) dhcpv6-client - improved system stability when DHCPv6 client is enabled on non-existing interface;
*) dhcpv6-client - log message when response with invalid transaction-id received;
*) dhcpv6-client/server - added support for DHCPv6 reconfigure messages;
*) dhcpv6-server - added IPv6 address delegation support;
*) dhcpv6-server - do not require "prefix-pool" to be specified;
*) dhcpv6-server - fixed DHCPv6 server "address-pool" property showing in command line as "unknown" when real value is "static-only";
*) dhcpv6-server - improved system stability when removing actively used DHCPv6 server;
*) dhcpv6-server - include all existing prefixes (with lifetime 0) in renew reply and new prefix if RADIUS returns different prefix;
*) dhcpv6-server - properly display "static-pool" value in server print output for "prefix-pool" argument;
*) discovery - added support for LLDP DCBX;
*) discovery - use LLDP description field to populate platform, version and board-name;
*) disk - added "type=file" for file-based block devices, useful for using file as a swap, or when having file-based filesystem images (CLI only);
*) disk - added btrfs filesystems list (CLI only);
*) disk - added mount-read-only and mount-filesystem options to allow read-only mounts and prevent mounting device at all (CLI only);
*) disk - added sshfs client to "/disk" menu (CLI only);
*) disk - added support for SWAP, currently allowed on any block device with "set x swap=yes" when container package is installed (CLI only);
*) disk - allow to configure global and per disk mountpoint template - [slot],[model],[serial],[fw-version],[fs-label],[fs-uuid],[fs] variables supported;
*) disk - auto mount iso and squashfs images;
*) disk - fixed managing and cleaning up mount points;
*) disk - fixed raid role auto selection for up to 64 drives;
*) disk - improve slot naming and improvements for visualizing complex hardware topology;
*) disk - improve test to report zero byte iops;
*) disk - improved system stability;
*) disk - read/show exfat filesystem label;
) disk - recognize virtual sd interfaces;
*) disk - remove 32 character slot name limit;
*) disk - save raid superblock and raid bitmap superblock on member devices in 1.2 format/location;
*) disk - show detailed mountpoint users when unable to unmount;
*) disk - show usage as percentage (CLI only);
*) disk - try all NFS versions (4.2,4.1,4.0,3,2) when mounting NFS in that order;
*) disk,nvme - show nvme namespaces if configured more than one on a nvme drive;
*) dns - added option to create named DNS servers that can be used as forward-to servers;
*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);
*) dns - DoH whitelist support for adlist using static FWD entries;
*) dns - refactored DNS service internal processes;
*) dns - whitelist support for adlist using static FWD entries;
*) ethernet - improved interface stability for RB4011 devices;
*) ethernet - improved linking after reboot for hAP ax lite devices ("/system routerboard upgrade" required);
*) ethernet - improved stability after reboot for Chateau PRO ax;
*) ethernet - improved system stability for CCR2004-1G-2XS-PCIe device;
*) ethernet - log warning only about excessive broadcast (do not include multicast) and reduced log count;
*) fetch - fixed certificate check when provided hostname is IP address;
*) fetch - fixed large file (over 4GB) fetch in HTTP/HTTPS mode;
*) file - correctly identify mounted disks;
*) file - do not needlessly scan large filesystems, could prevent unmounting;
*) file - improved handling of changes to the file system;
*) file - improved service stability when accessing files list from other system services;
*) file - support files over 4GB size;
*) file - update file size before trying to request content;
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings;
*) firewall - added support for random external port allocation;
*) firewall - added warning log for TCP SYN flood;
*) firewall - fixed "dst-limit" and "limit" mathers when using zero value for burst argument;
*) firewall - improved matching from deeply nested interface-lists;
*) firewall - removed default mangle passthrough=yes configuration from export;
*) ftp - added VRF support;
*) gps - changed default GPS antenna setting for LtAP mini with internal LTE/GPS combo antenna;
*) graphing - fixed graphing rule removal;
*) graphing - fixed queue graph storing on disk;
*) health - added cpu-overtemp-check on ARM, ARM64 devices (CLI only);
*) health - changed PSU state from "no-ac" to "no-input";
*) health - hide settings in CLI if there is nothing to show;
*) health - removed board-temperature on RB5009UPr+S+IN device;
*) igmp-proxy - refactored IGMP querier;
*) ike2 - improved performance by balancing multicore CPU usage for key exchange calculation also for initiator;
*) iot - added additional debug for LoRa logging;
*) iot - added an option to print out LoRa traffic in CLI (not GUI-only option anymore);
*) iot - added new LoRa traffic FCnt packet counter parameter;
*) iot - added support for USB Bluetooth dongles (LE 4.0+) which enables Bluetooth functionality;
*) iot - bluetooth peripheral device menu now displays correct iBeacon major/minor values;
*) iot - fixed duplicate LoRa payloads in the traffic tab;
*) iot - fixed incorrect LoRa joineui filter export behavior;
*) iot - fixed LoRa behavior, where join eui or dev eui could be incorrectly converted during forwarding;
*) iot - improved system stability for LoRa;
*) iot - improvements to LoRa device's stats tab;
*) iot - LoRa LNS improvement;
*) iot - LoRa traffic tab RSSI now shows proper values for ARM architecture;
*) iot - modbus rework which improves Tx Rx switching behavior;
*) iot - mqtt improvement to support large payloads and gracefully discard payloads above size limit;
*) iot - removed crc-disabled and crc-error options from the LoRa forwarding;
*) iot - removed LoRa pause traffic option/setting;
*) iot - removed some LoRa radio related parameters (e.g. RSSI-OFF and Tx-enabled) that were not meant to be changed;
*) ippool - removed maximum "63 bit" prefix length limitation;
*) ipsec - ike2 improved process for policies;
*) ipv6 - added comment property to "/ipv6/nd/prefix" menu;
*) ipv6 - added IPv6 settings related to stale IPv6 neighbor cleanup;
*) ipv6 - added support for manual link-local address configuration;
*) isis - do not disable fast-path when isis is enabled on an interface;
*) isis - fixed console flags;
*) isis - fixed invalid L2 LSP type;
*) isis - make it work when MTU is larger than 1500;
*) isis - update interface MAC address on change (caused neighbor to stuck in init state);
*) kid-control - use time format according to ISO standard;
*) l3hw - improved system stability;
*) l3hw - rate limit error logging;
*) leds - fixed issue where interface LEDs might not properly disable in some cases;
*) log - added basic validation for "disk-file-name" property;
*) log - added hostname support to remote logging action;
*) log - added regex parameter for log filtering in rules;
*) log - fixed e-mail logging (introduced in v7.16);
*) log - use time format according to ISO standard;
*) lte - added option to check/install modem firmware from early-access/testing channel (CLI only);
*) lte - added provider specific firmware update (FOTA) for Cosmote GR networks on Chateau 5G;
*) lte - disabled ims service for Chateau 5G on operator "3 AT" network (PLMN ID 23205);
*) lte - drop operator selection support for R11e-4G modem as it is unreliable;
*) lte - fixed "default-name" property in export when multiple LTE interfaces are used;
*) lte - fixed "lte monitor" signal reporting for RG520F-EU modem when connected to 5G SA network;
*) lte - fixed "operator" setting for EC200A-EU modem;
*) lte - fixed long "PLMN search in progress" for SXT 3-7;
*) lte - fixed LTE band setting for SXT LTE 3-7;
*) lte - fixed roaming barring (allow-roaming=no) for EC200A-EU modem;
*) lte - fixed signal info reporting for FG621-EA modem in UMTS network;
*) lte - fixed SMS sender parsing;
*) lte - improved modem FW upgrade for Chateau 5G;
*) lte - improved R11eL-EC200A-EU modem firmware upgrade procedure;
*) lte - improved recovery after unexpected modem reboot for Chateau's 5G and 5G R16 series devices;
*) lte - improvements to modem "firmware-upgrade" command;
*) lte - MBIM increased assignable APN profile count up to 8 then modem firmware allows it;
*) lte - modem firmware update (FOTA), added support to install provider specific version;
*) lte - removed trailing "F" symbol from uicc;
*) lte - set "sms-read=no" and "sms-protocol=auto" as default values;
*) lte - set IPv6 address reporting format in modem init for AT modems and MBIM modems with AT channel;
*) mac-server - allow MAC-Telnet access through any bridged port when bridge interface is allowed;
*) mac-telnet - use ASCII DEL as erase/backspace char instead of BS (fixes mac-telnet backspace for WinBox4);
*) macvlan - improved error when trying to create new interface on already busy parent interface;
*) macvlan - updated driver;
*) modem - KNOT BG77 modem, improved handling of modem unexpected restarts;
*) mpls - added fast-path support for VPLS;
*) mpls - added MPLS mangle support;
*) mpls - added support for "ICMP Fragmentation needed";
*) mpls - do no drop LDP peering session on PW deactivation;
*) mpls - do not reconnect VPLS on name or comment changes;
*) netinstall - removed unused "Get key" button;
*) netinstall - save and restore device-mode configuration on format;
*) netinstall-cli - added "-o" option to install devices only once per netinstall run;
*) netinstall-cli - fixed x86 detection;
*) netwatch - added "ignore-initial-up" and "ignore-initial-down" properties;
*) netwatch - fixed multiple variables;
*) netwatch - fixed probe toggle when adding a comment;
*) ospf - fixed memory corruption;
*) ospf - improved stability on configuration update;
*) ovpn - added VRF support to OVPN server (server menu now supports multiple entries and previous server configuration is automatically imported);
*) ovpn - improved system stability;
*) ovpn-client - added tls-crypt, tls-crypt-v2 support;
*) ovpn-server - added "user-auth-method" property and allow mschap2 for RADIUS authentication;
*) pimsm - improved system stability after interface disable;
*) poe-out - added low-voltage-too-low status;
*) poe-out - improved PoE-out configuration handling when doing reset-configuration command;
*) poe-out - upgraded firmware for CRS354-48P-4S+2Q+ device (the update will cause brief power interruption to PoE-out interfaces);
*) poe-out - upgraded firmware for PSE (BT) controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - display a warning when using invalid log-file with the "remote-access" feature;
*) port - more detailed print command output, include in "USED-BY" property channel number(s);
*) ppp - add routes in matching VRF;
*) ppp - added support for bridge-port-pvid configuration via ppp profile;
*) ppp - added support for bridge-port-trusted configuration via ppp profile;
*) ppp - do not print local/remote pool related errors in log when configuration does not require pool usage;
*) ppp - fixed typos in log message;
*) ppp - reuse link-local IPv6 address for static bindings when possible;
*) ppp - set APN/PDN type "IPv4/v6" according assigned PPP profile protocol setting;
*) pppoe - added support for PPPoE server over 802.1Q VLANs;
*) profiler - classify ppp processing;
*) profiler - improved process classification;
*) profiler - renamed radv process to radvd;
*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding;
*) ptp - added option to configure L2 transport with forwardable and non-forwardable MAC destination;
*) ptp - added PTP support for CRS320-8P-8B-4S+ and CRS326-4C+20G+2Q+ devices;
*) ptp - display warning when none of the PTP ports has a link;
*) ptp - fixed DSCP values for IPv4 packets;
*) ptp - fixed packet receive with enabled igmp-snooping;
*) ptp - fixed packet tx/rx when enabling PTP on 1/2.5/100Gbps links for 98CX8410, 98DX8525, 98DX4310 switches (introduced in v7.16);
*) ptp - fixed synchronization on QSFP28 interfaces;
*) ptp - make PTP process more stable and deterministic when applying configuration;
*) ptp - restrict configuring g8275 profile with IPv4 transport;
*) qos-hw - allow to disable/enable profiles, disabled or removed profile gets replaced with the default;
*) qos-hw - enabling PFC on port also requires setting egress-rate-queueN;
*) qos-hw - fixed export when changing default Tx Manager;
*) qos-hw - fixed incorrect port byte-use counter;
*) qos-hw - improved PFC behavior;
*) qos-hw - improved system stability when enabling QoS;
*) qos-hw - improved WRED and ECN behavior;
*) qos-hw - rename pfcN-pause and pfcN-resume to pfcN-pause-threshold and pfcN-resume-threshold;
*) qos-hw - reworked PCP and DSCP mapping (now supports single, multiple and range values, previous configuration with minimal value mapping is converted to a single value);
*) qos-hw - switch-cpu port trust settings are forced to "keep";
*) queue - improved system stability when too many simple queues are added;
*) quickset - added "LTE AP" quickset profile with one wifi interface;
*) rip - improved stability when changing metric;
*) romon - added dynamic switch rules on devices supporting it when enabling the service;
*) romon - added interface-list support;
*) romon - send uptime in discovery;
*) rose-storage - allow to set iscsi-iqn only when type=iscsi and allow nvme-tcp-name only when type=nvme-tcp;
*) rose-storage - do not allow to format exported disks;
*) rose-storage - enable autocomplete for local-path property in "/file/sync" menu;
*) rose-storage - enable more threads for faster RAID sync;
*) rose-storage - ensure unique nvme-tcp-names for nvme-tcp clients;
*) rose-storage - improved error messages;
*) rose-storage - improved system stability;
*) rose-storage,raid - improved stability of degraded arrays on startup;
*) rose-storage,raid - store superblock in 1.2 format, show raid super block info when detected to help with reassembling arrays;
*) route - fixed discourse attribute print;
*) route - fixed minor typo in failure message;
*) route - fixed possible issue with inactive routes after reboot (introduced in v7.16);
*) route - improved stability;
*) route - improved stability with static route configuration;
*) route - increased interface name length limit in log messages;
*) route - removed possibility for IPv6 routes to specify interface in the dst-address;
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for MIPSBE CRS3xx and CRS5xx switches ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 and IPQ6010 when flash-boot is used ("/system routerboard upgrade" required);
*) routing-filter - fixed subtract and add for numerical values (+x, -x);
*) rsync - fixed when used over ssh and spaces in directory names;
*) sfp - fixed 1Gbps supported rate for RB960 and RB962 devices;
*) sfp - fixed linking with 1Gbps optical modules with "combo-mode=sfp" configuration for CRS312 device;
*) sfp - improved initialization and linking for some SFP modules;
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
*) sfp - improved power control configuration for QSFP optical modules according to the EEPROM field;
*) sfp - improved SFP auto-negotiation for L22, L23 devices;
*) sfp - improved SFP28, QSFP28 interface stability using DAC cable for CRS520 switch;
*) smb - stability improvements for client/server;
*) snmp - added wifi fields to MIKROTIK-MIB;
*) socks - fixed comment property for access configuration;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
*) ssh - do not regenerate host key after update from RouterOS version older than 7.9;
*) ssh - improved logging;
*) ssh - improved speed;
*) ssh - prefer GCM ciphers for arm64 and x86 devices when ciphers=auto;
*) ssl/tls - improved performance;
*) sstp - added pfs=required option to allow only ECDHE during TLS handshake;
*) storage - preserve permissions,owners,attributes when syncing under "/file/sync";
*) storage,rsync - fixed to work with clients passing "-a" option;
*) supout - added BGP advertisements section;
*) supout - added device-mode section;
*) supout - do not create autosupout.rif for second time after system reboot;
*) supout - print non BGP and OSFP routes if route list is too large;
*) supout - reduce minimal RAM required for export to be included;
*) supout - use separate LTE section;
*) switch - added "all" argument for "new-dst-ports" switch rule property for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - added IPv6 flow label matching in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow bond interfaces in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow matching network bitmask for IPv4 and IPv6 dst/src-address properties in switch rule;
*) switch - disallow switch-cpu in "ports" and "new-dst-ports" rule properties for CRS3xx, CRS5xx, CCR2116, CCR2216 and RB5009 devices;
*) switch - fixed a potential issue with packet corruption caused by incorrect switch initialization on CRS3xx/5xx devices;
*) switch - fixed L2MTU for 25Gbps ports;
*) switch - fixed RSPAN error message when using mirror-target=cpu;
*) switch - fixed rule disable in certain cases for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - fixed storm-rate accuracy on 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - force "mac-protocol" when matching IPv4 or IPv6 specific properties;
*) switch - improved CPU performance for CRS328-24P-4S+ switch;
*) switch - improved system stability for RB5009 and CCR2004-16G-2S+ devices;
*) switch - make switch rule "ports" property not required and unsettable (allows matching packets on all switch ports);
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU);
*) system - improved IPv6 maximum routing table size based on total memory;
*) system - make ICMP error source address selection configurable (icmp-errors-use-inbound-interface-address parameter in ip settings);
*) system - make TCP timestamp handling configurable (tcp-timestamps parameter in ip settings);
*) system - moved "/system/upgrade" to "/system/package/local-update";
*) tftp - improved stability;
*) upnp - rename service description file from gateway_description.xml back to gateway.xml;
*) user-manager - improved stability;
*) vpls - added support for bridge-pvid configuration;
*) vrf - fixed packet handling with enabled queues;
*) vxlan - fixed issue causing to loose IPv6 VTEP address setting;
*) webfig - added search option for settings;
*) webfig - allow download from file details;
*) webfig - allow style.css and script.js in branding packages;
*) webfig - fixed uploading files with Windows style newlines;
*) webfig - hide inherited wifi password;
*) webfig - improved keyboard navigation;
*) webfig - improved screen reader support;
*) webfig - improved system stability when used over many simultaneous sessions;
*) webfig - redirect "/help/license.html" to "/license.txt" for backwards compatibility;
*) webfig - reduce flickering when table is sorted by column with duplicate values;
*) webfig - Skin Designer moved to centralized page;
*) webfig - status page is deprecated, old status page config will work, but can't be updated or created;
*) webfig - support unicode strings;
*) wifi - add information to each interface, showing which CAPsMAN manages it or which CAP hosts it when applicable;
*) wifi - added a debug log entry when switching channel;
*) wifi - added ability to set security.owe-transition-interface to "auto";
*) wifi - added access-list stats (CLI only);
*) wifi - added configuration.installation property to limit use of indoor-only channels;
*) wifi - added debug log messages on station authentication mismatch;
*) wifi - added extra info to CAPsMAN about message;
*) wifi - added last-activity property in registration table;
*) wifi - added multi-passphrase (PPSK) support (CLI only);
*) wifi - added option to reset MAC address (CLI only);
*) wifi - added station-roaming support;
*) wifi - allow IPv6 LL address in caps-man-addresses;
*) wifi - disabled 802.11h on 2.4GHz station;
*) wifi - fixed "disabled" property in certain cases;
*) wifi - fixed failure to resume operation after DFS non-occupancy period has elapsed;
*) wifi - fixed failure with "auto" peer update on the OWE interface;
*) wifi - fixed occasional failure to bring up management frame protection and channel switch capabilities;
*) wifi - fixed the "no available channels" message still being displayed after a setting change has made some channels available;
*) wifi - improved FT roaming with WPA3 for some Apple devices;
*) wifi - indicate radios' ability to perform a channel switch in their "hw-caps" attribute;
*) wifi - indicate which channels are subject to DFS, or are indoor-only in output of "monitor" command;
*) wifi - re-word the "SA Query timeout" log message to "not responding";
*) wifi - show authentication type and wireless standard used by each client in registration table;
*) wifi - show regulatory limits on maximum bandwidth in output of radio/reg-info command;
*) wifi - when operating in station mode, log more information when AP switches to an unsupported channel;
*) wifi-qcom - added Superchannel country profile;
*) wifi-qcom - updated regulatory info for Ukraine, Australia and United States;
*) wifi-qcom-ac - allow use of channel 144 under "Japan" regulatory domain;
*) wifi-qcom-ac - fix possible conflict between radio and USB initialization on hAP ac2;
*) wifi-qcom-ac - improved CPU load balancing and system stability;
*) winbox - added "Copy to Access List" option under "WiFi/Registration" menu;
*) winbox - added "Max Entries" and "Total Entries" properties under "IP/Firewall/Connections/Tracking" menu;
*) winbox - added "Scan" and "Test Disks" features under "System/Disks" menu;
*) winbox - added Enable/Disable buttons under "Tools/Graphing" menus;
*) winbox - added MAC address support for "Group" property under "Bridge/MDB" menu;
*) winbox - added missing "bus" option for compatible devices under "System/RouterBOARD/USB Power Reset" menu;
*) winbox - added missing properties under "IP/Neighbors" menu;
*) winbox - allow to edit Ethernet MAC address;
*) winbox - clear "Value" field when unset under "IP/DNS/Static" menu;
*) winbox - fixed duplicate timezone names;
*) winbox - fixed typo in "System/Reset Configuration" menu;
*) winbox - hide LCD menu for devices without display;
*) winbox - hide LTE "External Antenna" menu for devices without switchable antenna option;
*) winbox - improved stability;
*) winbox - minimal required version is v3.41;
*) winbox - refresh values under "Bridge/VLANs/MVRP Attributes" menu;
*) winbox - renamed and moved "System/Auto Upgrade" to "System/Packages" menu;
*) winbox - renamed wrong invalid interface flag to inactive;
*) winbox - show "FEC" property on status tab for interfaces that use it;
*) winbox - show MLAG settings for CRS326-4C+20G+2Q+ device;
*) winbox - updated properties and behavior under "Switch/QoS" menu;
*) wireguard - do not initiate handshake when peer is configured as responder;
*) wireless - added option to reset MAC address (CLI only);
*) wireless - added vlan-id to registration-table;
*) wireless - allow to set Canada2 country profile when locked with US lock package for CubeG device;
*) wireless - enable all chains by default for RB911 and RB922 series devices;
*) wireless - fixed antenna gain for SXT5ac device;
*) wireless - preserve configured country while using setup-repeater, added "country" argument (CLI only);
*) x86 - Realtek r8169 updated driver;
*) zerotier - added debug logging;
*) zerotier - do not show default settings in export;
*) zerotier - upgraded to version 1.14.0;

Or can I hard-reset the device into the default configuration again?

Hi,

I would like to create a LAN where each node need to authenticate before gaining access to the LAN.

and secondly be able to monitor the data consumption of each node and even limit the speed for a node when exceeded.

is this is possible with RouterOS ?

Thanks.

Hi All,

I'd like to block a couple of "guest" devices from accessing any devices on my LAN, but allow them internet access. They're streaming media boxes from a foreign country, and I'm not convinced they are, or will remain clean of malware.

Yes, the easiest solution is to simply remove them, or block them entirely, but there are "family issues" at work, and I'd like a short-term solution until the family members leave and take their device with them.

I've already rate limited them with queues so they don't have a significant upload speed so their ability to participate in any DOS business will be limited.

I have the device's MAC and have it locked to a static IP, so I'd like to deny 192.168.x.x and allow anything else.

Any ideas?

I used to have Proton VPN set up through IPSec, but that hasn't been functioning for a while, and now Proton has removed the setup guide for it. My SO hates the VPN, so I have their devices set up in a firewall address list to bypass it.

I'd like to be able to set up Proton in Wireguard, but I need to be able to bypass it, so any help with that would be appreciated.

7.16 2024-09-24

What's new in 7.16 (2024-Sep-20 16:00):