MikroTik

pe1chl

Well, it is the budget model for home and (very) small office.
When you have other needs there are other models, even the CSS326 is only $20 more.

pe1chl

It is a more or less obscure feature, but when you have a use-case and your client supports it, it is very useful. Like so many features, probably a user has suggested it, and it was either quite trivial to implement it or the user had a good sales case. That does not mean it is useful to YOU. (or m...

pe1chl

Considering how old Mikrotik is, why dont they have a usenet server? With usenet, you do not need a server. You need a newsgroup or set of newsgroups. Others provide the servers. It would have been easy to create a number of alt.mikrotik.subgroup groups similar to what we have on the forum. With mo...

pe1chl

It seems that the forum is under some form of attack... The past few days I regularly got the message that the forum is currently offline, try again in a couple of minutes. As a Prosilver user I tried going to the profile page and selecting the other theme (forgot the name) and it shows a usable lay...

pe1chl

I've been checking on the windows 11 client and it doesn't seem to support this option. is there any information on how to reconfigure my devices to support this option? or is there a possible workaround, such as sending a message even if the client does not support the option? Why would you want t...

pe1chl

I tried again today on Windows 11 and now I found (and remembered) what was the problem: When you configure IKEv2 with username/password in Windows VPN the identity of the connecting router is not set to the username, but to the address of the system. Thus it is not possible to match the identity wh...

pe1chl

There is a 512Mbit Flash chip from ST on the upper side of the 1100AH board, and RouterBOOT says its 64MB. I went as far back as ROS 6.20 with RouterBOOT 3.18 -- always shows 64MB. Looks like some models shipped with 64MB. No worries - it served long. Greetings - azg As written above, it could be f...

pe1chl

Netinstall will for sure allow you to install the current (beta)version, but the question is whether you can upgrade after that... I had the same issue on a CCR1009 with 2 partitions (64MB each), it cannot upgrade anymore in that configuration. One would wish that it is possible to upgrade via a RAM...

pe1chl

When you have gone through so many updates, it is better to do a netinstall of 7.18.2.
Do a "/export show-sensitive file=myconfig" first and download the file, you can later import it to restore the config.
(although there usually are some unexpected hickups doing that)

pe1chl

do you have a list of domains or ip used for renewal? it doesn't seem very professional to expose the port to everyone unless there is a service exposed on it. There is no published list of IP addresses used for renewal. There is some document that says they don't publish it to reduce the risk of m...

pe1chl

I have upgraded a PPC 1100AHx2 router to 7.18.2 from 7.13 and the login page is messed up. Any ideas?

Look on page 1 of this topic!

pe1chl

Read the above.
Posting here is useless, submit a support ticket or mail to sales@mikrotik.com

pe1chl

Well, as you know this problem goes through a cycle. It has happened before that people could no longer upgrade certain devices, and they spent development effort to solve that for that moment. But of course the problem comes back, we all predicted that. Because the effort that was made yielded some...

pe1chl

hAP ac2 without wireless or wifi-qcom-ac is not a reasonably expected use of that device.
Normally you would buy a hEX for that use-case.

pe1chl

Well, there may be an issue with 7.18.2 after all... I netinstalled a wAP ac (old MIPBE version), I could connect it via MAC-TELNET, setup a password for admin (8 ASCII alphanumeric characters), could still login, then I added the wireless package (netinstall was only base package) and did a reset-c...

pe1chl

That means you are quite close to problems. Others may already run into problems, e.g. when they have a longer upgrade history, more complicated configuration, history of changes in configuration, etc.

pe1chl

Yes, I think that "applications" should all be split off in separate packages. Because there are no inter-dependency issues and often not everyone wants them. And they are now easy to install. That would include such things as: - CAPsMAN - Hotspot - Web Proxy - SMB server / Media server - ...

pe1chl

The wAP and cAP lines suffer from the same problem of having little permanent storage space, and they don't have a USB port. Why does the main RouterOS package need to load all the USB device drivers on these devices? Wouldn't it be possible to reduce the size of routeros.npk by about 2MiB if there...

pe1chl

AC2 only has 128Mb RAM ??
It's AX2 we're talking about.

Correct, I edited it. I meant ax2.

pe1chl

In any system that involves things like scripting languages, web interfaces, etc I at least avoid these characters all the time:
@ % " $ & # + < > (space)
That never hurts even when it is not really necessary.

pe1chl

I have once again log full or red "cache full, not storing" DNS Adlist related messages. My cache size is raised to 8192 KiB and Adlist size was something over the 2000 KiB. I definitely removed the functionality from the router. Ok but why do you use such a tiny amount of storage for the...

pe1chl

2025-03-04T01:01:17+01:00 MikroTik HeadOffice possible SYN flooding on tcp port 53 2025-03-04T06:06:52+01:00 MikroTik Branch3 possible SYN flooding on tcp port 53 2025-03-04T08:24:20+01:00 MikroTik Branch4 possible SYN flooding on tcp port 53 2025-03-04T08:52:10+01:00 MikroTik Branch2 possible SYN ...

pe1chl

One thing is for sure, posting on the forum will do zero for your request! You can try making a ticket in the support system, that will at least make it end up on the desk of someone considering it. Of course that does not mean it will be implemented, but at least there is a chance. Even better is t...

pe1chl

Windows Update uses http as well... (it uses https to determine what updates to download, and then downloads the actual updates over http)

pe1chl

Yes, when you have a hAP ac2 it is better to do a netinstall and also to give up on wifi-qcom-ac.
That simply will not last. Go back to "wireless" and when you want new drivers buy a hAP ax2 or ax3.

pe1chl

Why not? If https is used, then client can verify authenticity of server it's talking to. Yes, npk files do have some verification built in (I believe that packages are digitally signed by MT so it's not trivial to alter the contents). But two layers of security are better than one. And we definite...

pe1chl

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18); Was the instability of CAKE that you previously mentioned really limited to having an interface with a CAKE queue and then deleting the queue type? In the ment...

pe1chl

When was that introduced?

pe1chl

Using console code as an example for how it would work in scripts is not good, especially not after you first used "print"!

pe1chl

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18); Was the instability of CAKE that you previously mentioned really limited to having an interface with a CAKE queue and then deleting the queue type? In the ment...

pe1chl

Ok, a difference between your config and the one I use is that I do not use connection marks but I base the route mark on the source address of the packet (for output) and on a "PCC on src address" rule for the forwarded/NATted traffic (for loadbalancing). That selects the particular route...

pe1chl

Besides that, RouterOS already offers a "configure session" in terminal mode! Most people do not know it... When you enter a { in terminal mode, you enter a "block" (as in scripting) and you can enter commands, and when you enter } the block is closed and the commands are execute...

pe1chl

Back in those days we lived with having a dark screen with light characters on it. But when I first got a computer (in 1985) that used dark characters on a white background, and a windowing system that did the same thing, I really liked it and I never wanted to go back. Whenever I see a "dark m...

pe1chl

Thanks for the advice, It seems based on this that it would be recommended to netinstall when moving from v6 to v7.

Yes, that certainly is the case. Netinstall and import an export made just before (not a restore of a backup).
That will free up space, and prevent unexplainable problems as well.

pe1chl

When you are facing packet loss in a config like this, try disabling fasttrack.
You can start a "torch" on the internet interface, that will temporarily disable fasttrack.
When it then starts working, fasttrack is your problem.

pe1chl

Yes, there really should be multicast enhancement in the WiFi driver (multicast to unicast), but as he wrote it also happens with the Asus as an AP (and it undoubtedly has that) and is triggered by having the MikroTik router, it may be that the IGMP querier being buggy is the main cause. Of course I...

pe1chl

Actually it is not correct to stop a multicast stream immediately when there is no response to a query. I don't know if MikroTik use a well established IGMP implementation or have doctored their own (probably the latter) but the way it should work is: when a query is sent and a response received, th...

pe1chl

Please consider to have a settable option (even if only "normal" vs "long") for the connection timeout, i.e. when a device loses connectivity for up to a minute, maintain the connection instead of closing it after a few seconds.

pe1chl

When sorting the saved connection list, it can only be sorted on a single column. With v3.41, you can first click the "Note" header ("Comment" in v4) and then "Group" and you will get the list sorted by group first, and within the group sorted by Note. But in v4 for eve...

pe1chl

When you want to reach the claimed performance of these routers, you need to have "fasttrack". When you removed that (e.g. because you cannot have it co-exist with other config) or you did not yet add it (e.g. IPv6) you will not reach 1Gbit. In general, people expect performance similar to...

pe1chl

Yes, you need to do that. Because the probe packets to check the routes are sent using the main table and your actual traffic is sent via the ISPx table. Unfortunately there is no way to auto-copy some routes between different tables, so you need to do that manually. (MikroTik will tell you to use V...

pe1chl

Also, when you are so lucky to have a device like the RB951G-2HnD (low-end router from the good old days when you still got 128MB flash) you should have partitioned it before installing a beta!

pe1chl

Everything here requires either time or money, not just keeping the flash size small. Please take a look at the changelog and see where the effort goes in recent versions. The problem is that working on new features and fixing bugs in existing features inevitably leads to code expansion and people ...

pe1chl

It's not related to loops and there is an :error command already for that.

:error can only exit with error. what would be useful is an exit that exits without error.
(especially now that every script that exits with an error triggers a log message)

pe1chl

Indeed... while that LMP 5G is exactly what I am looking for at one of our locations, and it would be used with an RB5009 as a router so no need for additional packages, I really don't like the idea of having a device with so little flash space. Not only is there a risk of routeros not fitting anymo...

pe1chl

We have discovered that CAKE type queue can crash router in v7.18 and v7.19 – we are working on a fix for that. However, it is not as simple as - add queue and router crashes. Seems that a set of events or precise timing is required for the problem to appear. And yes - when your router fits the &qu...

pe1chl

For such purposes, you should use "Safe Mode". Very much suggested, especially for new users. https://help.mikrotik.com/docs/spaces/ROS/pages/328155/Configuration+Management#ConfigurationManagement-SafeMode That would only work for mistakes that make the router unreachable (like deleting ...

pe1chl

What's new in 7.19beta4 (2025-Mar-06 14:10): *) console - added on-error to "for" and "foreach" loops; Will "break" functionality ever be added for loops? (Don't tell me about workarounds) Or a way to exit from a script midway? ("exit" command with ok/error p...

pe1chl

Ok that is great! Is there further indication that they are working on fixing the BGP problems?

pe1chl

No idea if it was changed by now, but here the link on that page is: https://cdn.mikrotik.com/web-assets/supportsec/rss.xml

pe1chl

*) rose-storage - show btrfs balance and scrub errors if any; Well, in the 7.18 topic we discussed a little about whether they would use the "btrfs balance" or the "block-level mdraid" function for the RAID setups, and now we know: it is "balance". May the force be wit...

pe1chl

Assuming this is still about the "possible SYN flooding on tcp port 53": YES. When having hundreds of clients on the local network, there can be enormous bursts of DNS requests. The CCR2004 should be able to handle that. I have configured 10000 concurrent requests and 1000 TCP connections...

pe1chl

A crucial difference between "Safe mode" and also "apply changes only in RAM and require explicit save" and a transaction-like system is that with the latter you can apply a series of configuration changes and do an APPLY at the end of it. It is possible in RouterOS cmdline mode,...

pe1chl

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended! E.g. a device was powercycled without clean shutdown ... Nope, device was cleanly rebooted due to ROS upgrade. I can't explain the few hours jump myself, usually it is, as ever...

pe1chl

You still have the same BGP problems on 7.19b2? Do you have a forum post listing them all? I also have BGP with stuck routes on 7.16.1 that drive me crazy. I have not installed 7.19b2 yet. It does not list a fix for any of my problems in the changes list. I have posted several times in release topi...

pe1chl

Ok I seemed to remember that you posted it has been a problem for a while...
But indeed there are several BGP problems and the silence from MikroTik is deafening...
However, on my routers (with 7.18 and 7.18.1) there is no CPU usage problem, only the issues I mentioned before.

pe1chl

When upgrading my fleet from 7.17.2 to 7.18.1 ... I saw time jump of a few hours after reboot due to upgrade on one of devices. So the "after boot" time jump can be rather large. However I'd say that severity of first time jump (if caused by NTP client) after reboot can be down-tuned to i...

pe1chl

The point is lacking this kind of basic sanity checks on configuration changes. Even if some bug will cause this and there's no sanity check stopping it from happening and you are up to netinstall. It is not as bad as you suggest. Yes, sometimes you can remove an object and leave something else dan...

pe1chl

Critically of this action seems for me to be way to high. Exactly Very High :) Well, actually a change of time-of-day is a very critical event, but one could argue that in a device without built-in clock it could be labeled a little less severe when the time adjustment is forward, and less than 5 m...

pe1chl

We have seen this behavior as well with winbox, but port 8291 was only exposed to management vlan and I'm the only one accessing the device during that time so this SYN flooding warning is just a fluke at least for me I don't mind that it logs a bogus message, but I worry that when it detects the c...

pe1chl

I isolated the issue to BFD. When enabled it causes high CPU usage. I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs. I reported the bug on ticket #SUP-181114 What parameters do you use for BFD? I have sever...

pe1chl

either way, I'd like to be able to tune this checks. Since they are in place, why not using them directly and tune them for our needs. Assuming this is still about the "possible SYN flooding on tcp port 53": YES. When having hundreds of clients on the local network, there can be enormous ...

pe1chl

What type of package manager introduces such a significant storage overhead? OpenWRT has been using "opkg" for years without issues. However, OpenWRT also provides board-specific builds - perhaps this is the key to addressing flash storage limitations on 16MB devices. The "packages&q...

pe1chl

I think the reason this has a high probability of appearing at reboot is because while the router is being rebooted, clients in the network are still firing DNS queries at it ... Yes I think that could be part of the reason, but what I observe is that on our main office network where there is lots ...

pe1chl

It is logged exactly once after every reboot. But I think that is because there is some "one time only" flag in the code to avoid overflowing the log with messages like that. However, I was watching a wireshark capture running on a PC that has "spurious delays when visiting websites&q...

pe1chl

After boot we get this message once: possible SYN flooding on tcp port 53 (I don't know at which version that started, but it was "recently") DNS service is only allowed from the local networks, not from the internet. There are hundreds of clients on the network and "SYN flooding on t...

pe1chl

I think the newly introduced products where it can be expected that users have more than basic needs (i.e. excluding switches) are no longer released with 16MB of flash. But we can all agree it was a stupid move from the beginning. Splitting stuff into packages introduces the issue that merely havin...

pe1chl

Just netinstalled this device. 7.18.1 is now running, but flash-space is tight. version: 7.18.1 (stable) free-hdd-space: 44.0KiB total-hdd-space: 16.0MiB board-name: D53G-5HacD2HnD platform: MikroTik It looks like your use-case is finished, and you need to either remain on a lower version or remove...

pe1chl

Just as an fyi for anyone here (I did create a support ticket, SUP-181012). I have a CCR2116-12G-4S+, with two partitions, each running 7.17.2 (they failover to the other if something breaks). When attempting to update to 7.18.1, via the Webfig, the system downloads the update, reboots and after ab...

pe1chl

then change the .txt to .pem

pe1chl

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup! You are not supposed to save your backup in flash memory! That normally is useless anyway. Make your backup in the RAMdisk (i.e. in the root directory on those 16MB devices), and then download it to...

pe1chl

It can also be a limitation of the used network card. I remember that my previous PC motherboard, which had 2 network devices on-motherboard, allowed >1500 byte MTU on one port but not on the other. This was with native Linux installed on the PC. I used one port for my LAN (including VLAN tags, it w...

pe1chl

There are four FP columns and you likely want to remove them all. That is most conveniently done using the available column selector.
Note that it has been much improved both in winbox 3 and winbox 4. In the old winbox 3 releases it was a multi-click procedure to remove each column.

pe1chl

You can remove columns using the widget at the extreme right on a screen. Another request: move the FP columns from the default layout of all interface types. I can understand they were added upon creation of the FP feature and MikroTik being very proud of it, but in general they are not very useful...

pe1chl

After the update, openvpn is rebooting the rb on each external connection made.

Please read previous replies to a release thread before adding another.

pe1chl

Absolutely the same situation ! It is not normal situation when need to do netinstall after each ROS upgrade. There already was good idea to exclude rarely used features like hotspot/mpls to separate packages !!! The official MikroTik reply is that running wifi-qcom-ac on a hAP ac2 is at your own r...

pe1chl

No idea why it does not work for you. It works perfectly fine for me.
In the meantime I have changed from a Vigor modem to a ZyXEL modem, do the VLAN tagging in the MikroTik, and it still works fine.
Must be an error on your config or in the network.

pe1chl

I have all kinds of BGP issues that were introduced with 7.16, reported, but not yet fixed. In version 7.15.x it worked much better. But I cannot downgrade because I require other fixes. @pe1chl, I have an idea. How many peers do your routers have? My main issues with BGP involve a network within a...

pe1chl

But you cannot replace a disk with the same disk, that is the problem.

pe1chl

Disadvantage of kernel RAID: when a single block error occurs the entire device is removed from the array and no longer updated. So when you have two disks in RAID-1 each with a block error at a different location, you lose all your data. BTRFS balance raid1 does not have that problem, it keeps both...

pe1chl

I have all kinds of BGP issues that were introduced with 7.16, reported, but not yet fixed.
In version 7.15.x it worked much better. But I cannot downgrade because I require other fixes.

pe1chl

I wanted to check if anyone else has experienced this issue on their CCR2216 running v7.16.2. Every now and then, routing seems to stop working properly, and when I go to Routing → BGP, the display is completely blank and unresponsive. Please make a support ticket! When the support tickets about BG...

pe1chl

No it does not IMHO. Different type of developers so there should be no conflict. I wish it were so, but experience shows that it isn't. If I open a ticket about dynamic routing or MPLS issue, it takes months to react. If I am the only one about this issue then there is not so big the problem is. T...

pe1chl

Indeed it already is optional on the router, that is not the issue. What most people worry about is that it takes away development resources from router functionality, e.g. BGP. That is clearly demonstrated by the BGP problems introduced in 7.16 (and not present in 7.15) still not having been fixed ...

pe1chl

Prophecy?

Well in the Newsletter #123 topic it already begins... "we want ZFS, not BTRFS".

pe1chl

PTP is used for DECT-bases to sync them if the area is large or the sync-over-air gests disturbed, so DECT with 3-60 bases can be found in basically every company, especially with a warehouse. We had them 15 years ago. All gone. Everyone uses mobile phones, with VoWIFI when required (e.g. in the wa...

pe1chl

Using BTRFS's RAID finctionality in enterprise environment is a kamikaze solution. I'm curious what solution they use if there is any RAID function in it. I hope it is battery backed HW RAID controller... It is unclear if the RAID function uses Linux block-level RAID or the BTRFS balance profile &q...

pe1chl

Yes, that would be great! But I fear that once the Rose Data Server really hits the street, we will see lots of requests for (in itself) reasonable requests around data server functionality. (some of them in software not written by MikroTik but becoming their responsibility when used as part of such...

pe1chl

Starting from 7.18, this list has both the packages that are installed, and those that are optional to install. Can't imagine people overseeing such a thing, can you? Well, I have often commented that the changelog is inadequate and should be replaced with something that has more info, links to doc...

pe1chl

PLEASE PLEASE PLEASE study the matter before you claim that packages get installed.
Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.

pe1chl

There are no buffer on logging, All logs that are generated at boot are not sent since there are no network up and running. Logs will only be tried sent once, and if that does not work, they are not sent (UDP/TCP). Yes, and it is not something that can be solved easily. E.g. in our network the bran...

pe1chl

There was a firmware change in 7.16 that of course may affect you only later when you do not update firmware every upgrade. I had a CCR1009 go into a bootloop when I changed from 2 to 1 partitions (the first one being active) with 7.18beta4 to beta6 upgrade, and when trying to netinstall it things g...

pe1chl

When you require that functionality, instead log to memory (as is default) and retrieve the logs using API from a remote system...

pe1chl

Another useful addition would be when the connect-to parameter (router name) is specified without a username and password, it would connect using the username and password stored in the address list, without requiring further click on CONNECT button.

pe1chl

Everyone #2 - Please do not turn this version release topic again unrelated to the release itself and talking about how changelogs might be better, testing might be better, etc. Please open new forum topics for such discussions and let us keep these release topics related to RouterOS not management...

pe1chl

I upgraded a CHR that is on a local network only (with free license), from version 7.18beta6. After the reboot, 123MB more disk space is used than before. After another reboot, it falls back to 105MB more used. After another reboot with internet access, it returns back to normal. I have seen this be...

pe1chl

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list. It would be nice when new bugs introduced in a stable release would be added to the changelog (as a separate section) once they become known, so it is...

pe1chl

Random source port option would be useful in the NTP Client as well...

pe1chl

Indeed I should have been more specific, it was about "Windows 10 without additional client software". Of course there is software to use IKEv2 with Windows, but when you just go to networking and choose "add a connection to my work or school" (or whatever it is called today) the...

pe1chl

I can't find any LTE interface on my dozens of CCRs. CCR owners don't lose your hope and keep your spirits up Of course not... until you plug in a LTE USB stick (when your CCR has an USB port). Unfortunately there is no line with "*) bgp - improved stability;" in sight... that is what CCR...

pe1chl

It seems that in 7.16 there have been changes in the firmware to allow devices to return to factory state when a reset-configuration is done (either using command or the button) and it apparently sometimes gets invoked incorrectly, blocking a netinstall.

pe1chl

It has been discussed many times before. The trade-off is always between following the kernel releases and applying your in-house patches to ever changing kernel versions (having to adapt them all the time) or keeping the same kernel version+in-house patches and then following the kernel development...

pe1chl

It isn't an issue for statically defined peers. But those require fixed IP addresses. In this case I want to setup a service without having to worry about the IP addresses of the clients. Those regularly change, and it causes a maintenance nightmare. Also, most IPsec implementations do not backoff w...

pe1chl

In fact you can already set a lower MTU for IPv6 by configuring it in IPv6->ND. Your end devices which receive IPv6 addresses via SLAAC will pick up the reduced MTU and will use it for their transmitted packets. I have never encountered MTU=1488 on PPPoE over VLAN. Normally the 4 bytes of a VLAN hea...

pe1chl

Well, I crafted this solution as a replacement for an older implementation that was in a plain Debian Linux VM.
The goal was to use RouterOS to get an installation that would be easier to maintain.
Unfortunately until now that isn't the case, but maybe when I have everything finished it is...

pe1chl

I'm not against storage features or container support, only I think it should be a side project that gets done when the main features like routing and wireless are working OK.

pe1chl

Most likely the RB952Ui-5ac2nD died due to lack of storage during the upgrade. But netinstall should work. I had to netinstall a CCR1009 and ran into an issue because apparently the bootloader had been set to "flash-boot" and would not netinstall. I think it is due to a change in 7.16 firm...

pe1chl

Yes. I am hoping for one of the other IPsec experts to chime in, after all that worked well for the other question I recently posted.

pe1chl

Yes, I know that issue with EoIP (and also GRE and IPIP) with automatic IPsec configuration.... But in this case I am running an IKE2 server using identities for the different clients, and they all come in on the same "peer". (see the topic "IPsec tunnels without known remote IP"...

pe1chl

I am trying to setup an IPsec server that can accept different parameters, because I have found that defaults used by RouterOS are ancient and no longer supported in some more modern software. E.g. the default phase1 profile uses SHA1 hashing and 3des or aes-128 encryption, the default phase2 propos...

pe1chl

While this might be true it's still royal PITA to see core functionality of ROS stagnate at some (partially) defunct state while other functionalities (about which some users do care and are enthusiastic while majority of users don't give a s**t) are getting somewhere. Yes, what is so bad about it ...

pe1chl

As I wrote before, there should be a separate (portable) application that performs the netinstall function and also can function as an IP->MAC connection relay. You start it when you need MAC connection and then point your browser at some port like localhost:8291 and you get the list of available MA...

pe1chl

Our production network is on 7.13, and absolute zero issues with BGP. Some 1.9M routes hapily routing Don't upgrade past 7.15! We had to do that for other reasons, we use BGP internally on a small network, not for internet routing. But it now fails to perform is basic task: keeping alternative rout...

pe1chl

+1, I couldn't agree more. I use those features, and I am happy with the functionalities they provide...

I use BGP routing, and I am sad it no longer works reliably (as it did in v6 and for some time in v7, I would say between 7.10 and 7.15).

pe1chl

If you don't like/need them, just don't use them, what the problem? I'm 100% sure, there are different developer teams for network features/storage features and they don't affect each other productivity. Well, the problem is that the network developer team fouled up the routing in 7.16 and now in 7...

pe1chl

This is why it would be better to get the functionality of winbox integrated into webfig, so there is no issue with "platform" anymore, everyone brings their own modern browser to their own (supported or unsupported) operating system.

pe1chl

We will look into this, but the route service crashes that you are experienced were also there on your router in v7.16, so they are not introduced in v7.18. It is clear that in 7.16 some breakage was introduced in the routing... and now we cannot assume that it will ever be fixed? I presume the win...

pe1chl

Heads-up - breaking changes for management and monitoring: *) console - put !empty sentence when API query returns nothing; It's still not in docs, which is annoying since we're now at "rc". IMO docs should be done by a "release candidate" (i.e. theoretically shippable). And dev...

pe1chl

The above DNS content is invalid. You cannot have two CNAME records for the same DNS name! But just like many DNS servers will not enforce that or will only issue a warning (and similar for web-based DNS editors), most DNS resolvers will not check for upstream errors and will just cache whatever gar...

pe1chl

First try it with an ethernet cable instead of WiFi to isolate that issue with multicast over WiFi.

pe1chl

MikroTik staff often argues that the importance of each changelog entry varies from person to person, so users should read the entire changelog. I have suggested possible improvements to the whole changlog thing but they are ignored. Changelog lines are too cryptic (you first have to learn a number...

pe1chl

This message is there since v7.14. Please stop hijacking version topics with discussions about other features/issues/bugs. We will look into this and will find a solution. Keep this topic related to 7.18 please! I went back to the 7.14 release topic and I see that user "jimmer" at that ti...

pe1chl

Well, I think there should probably be a "/system/reset-configuration keep-users=yes no-defaults=yes import -after-reset=myconfig.rsc" command that should run the import in verbose mode and log output including errors to a myconfig.log file, and every time there is an error that is not syn...

pe1chl

I often had errors while importing, not only with ports. And this is a very good idea! I would suggest to implement it like adding some parameter to import command that will allow to ignore errors. Like /import file=myconfig.rsc ignore-errors=yes Not only with "import" but also with "...

pe1chl

Today I wanted to load the /export of our router, because there was a change in IP address that occurs in many different places. So I did a /export of the config of our CCR2004-16G-2S+ running 7.18beta2, and it included: /port set 0 name=serial0 set 1 name=serial1 This has always been part of the /e...

pe1chl

Yes, it should have been added long ago, in v6 even (where separate packages for core functionality still were a thing).
I don't understand what people have against it.

pe1chl

I think it only applies to what we now call "old" devices ..[cut].. I solved the issue selecting the 'backup bootloader', rebooting and re-apply the routerboard fw update. Then back to the normal bootloader. Maybe it's not right .. but no more complaint in the log ;-) When that is the sol...

pe1chl

I think it only applies to what we now call "old" devices. The RB951G for example, which is MIPSBE. It is apparently assumed that everyone had upgraded to v7 before v7.6 and then could upgrade to that version and upgrade the backup-routerboot with that. In my ticket I explained that I got ...

pe1chl

Well, the actual whole picture here would be that our support team wanted to find out firstly what is the reason why you "must" upgrade the bootloader and just wanted to look into this deeper and help not just to you but also to others by doing some global changes if necessary. Unfortunat...

pe1chl

Maybe they have a script that adds this standard reply to every ticket that has been open for some time and does not have a supout.rif attached??

pe1chl

I expect @normis to intervene again to steer us at discussion about release-specific issues and I can understand that attitude. Well, the problem is that when you open a topic in another category you will usually not get replies from MikroTik employees, at least in the release topics that is much m...

pe1chl

From user's perspective, seeing list of available optional packages on device itself is huge step in right direction. The way it was done until now (downloading separate ZIP file, extracting wanted package, uploading it to device, rebooting) was very error prone ... one had to select correct archit...

pe1chl

Regarding wifi-qcom-ac: I don't understand why they don't split it into two separate versions: That already happened. We now have wifi-qcom and wifi-qcom-ac. Before that, there was no chance to install on 16MB devices. But maybe the wifi-qcom-ac should instead be two other packages. Unfortunately e...

pe1chl

(as new wAP still came with v6 from factory in 2024 it seems) Really struggling how MikroTik gonna stick to their "5 years of upgrades after purchase date" for some of devices released in 2024, because they are already failing on user's desks unable to take any config changes as they ran ...

pe1chl

Well of course it would be possible to have different routeros base packages, where the kernel modules and userland code for a lot of features are or are not present. I don't see the typical hAP ac2 user use stuff like MPLS, for example. I can understand why MPLS would be difficult to keep in a sepa...

pe1chl

On the note of above, can we please separate cloud package from routeros? Well, I really think that all applications should be separated in packages, not only that but also stuff like proxy, smb, hotspot, etc. But as far as I understand the architecture there is some overhead for having a package, ...

pe1chl

I do not see how such a messy and convoluted workaround would be the best solution to have connected routes in a second routing table...
I don't want to associate a routing table with interfaces, that is not the goal.

pe1chl

What's new in 7.18beta5 (2025-Feb-07 12:25): *) dhcpv4-client - allow selecting to which routing tables add default route (additional fixes); Very welcome!! A long-awaited feature :) It would be nice to allow multiple "routing tables selection" and per routing table "default route di...

pe1chl

I have a CHR "free" which I have used a since quite a while for v7 testing and where I always install the betas first. Since this week (when updating to beta4) I found that it has logged: system,error,critical could not save configuration changes, not enough storage space available. and in...

pe1chl

Can it really be that someone has knowingly opened port 53 to traffic from WAN? That message also occurs when you have correctly opened it only on LAN but have quite some online devices. For us it only happens immediately after upgrade. Probably some devices get impatient because the router is down...

pe1chl

IMO such arguments are relevant only to users with physical access to deployed devices and totally in applicable to customers who must roll trucks with such constraints. Care to make a wager about which market has greater sales volume? Well, when we look at newly introduced devices and the kind of ...

pe1chl

I think there should be an additional device-mode flag (e.g. named device-mode) which you can enable once and for all to skip all future device-mode flag additions (i.e. automatically enable them).

pe1chl

But zerotier has an associated device-mode flag!

pe1chl

It is difficult because the file management possibilities of RouterOS are limited.
Probably best is to share the disk to a PC on the local network (using IP->SMB or the optional rose-storage package for NFS etc) and then run a backup program on the PC.

pe1chl

- repartition: I don't understand what the current situation is supposed to fix. Sure I like it that without repartition flag we can now copy and switch partitions, but what attack scenario is now made impossible? - routerboard: It sure would be nice when there was another boot setting that first tr...

pe1chl

So many people will have to recover bricked router with 0 KiB of free storage, as I had to do today. I feel obliged to write some reviews and warn them. Well, I don't think there is a need to warn MikroTik, they are well aware of the 16MB issue and especially for the hAP ac2. They must have spent c...

pe1chl

But it only works on 5GHz. That is not useful for me. Remember that when "wireless" was still in the base package, and wifi-qcom-ac did not yet exist, it was already possible to install wifi-qcom on this. But it would disable the wireless function. Why? I would think wifi-qcom could handle...

pe1chl

Old Wi-Fi driver is inferior to new driver. As Normis has written before: this device was sold with the old Wi-Fi driver, it is not necessarily compatible with the new driver. It really is time to bin this thing. Unless indeed (as written by others) you use it only as a router or only as an accessp...

pe1chl

It would already be helpful when there was a separate script output by e.g. /system/default-firewall/print, in a way that can be cut/paste. That’s why I established my defconf collection . Cut and paste from any that’s close enough to your use case. Yeah, but what we need is something local to the ...

pe1chl

Expected much more from VRRP than just the routing function failover. Real (hot or cold) standby for DHCP, User Manager, Hotspot is not easy with MT. Well I am not even looking for a VRRP solution, it is fine for me when I can have two routers at two locations with a tunnel between them, each runni...

pe1chl

And you cannot combine WPA2-EAP and WPA3-EAP on a single SSID. I don't think that's correct. On my UniFi APs setting Security Protocol to "WPA3 Enterprise" allows both old and new devices to connect to the same access point and same SSID. I have tested that (maybe a year ago) and in WPA3 ...

pe1chl

I have the same problem, but with a UAP-AC-HD

Without a schematic it is difficult, as PoE has that magic detection/power-up sequence that is difficult to debug.

pe1chl

I am considering it but it ads another layer of complication as I have three physically separated locations visited by the same users. Radius would be one point of failure if it becomes inaccessible for any reason. I yet have to try setting User Manager on all locations and see if I can set managea...

pe1chl

I suggested before that the DHCP server should have a pre-lease script that is called when the DISCOVER packet is received and can be used to set DHCP parameters like the pool to be used, the lease time, network parameters, etc. With that it would be possible to put dynamic MAC addresses in a separa...

pe1chl

I am still hoping for a solution where defconf for the firewall can be applied to an existing router... some command that removes the firewall config and reloads it from defconf, if only as a commandline script. This can be done very easily - just print defconf and apply what you need. But this sou...

pe1chl

You can implement a "bridge filter" that drops packets with src MAC 02:00:00:00:00:00 / 03:00:00:00:00:00
(first is the MAC, second is the "mask")

pe1chl

My SmokePing shows a +1ms in latency difference since updating to 7.18. That's consistent across all targets. Not a big deal, but it certainly stands out in the graph and exactly coincides with me doing the update. Useless comment when you do not mention compared to what previous version! Maybe you...

pe1chl

I share the same concern. The limited 16MB flash storage has been known for years, yet no new hardware revision of e.g. hap ac2 with more memory has been released. ??? hAP ax2, clearly the successor of hAP ac2, has 128MB flash. Of course it is more expensive and what is puzzling is that hAP ac2 is ...

pe1chl

I would never buy a new 16MB device. Others can do what they like...

pe1chl

Enabled multicast but blocked multicast e.g. in firewall

pe1chl

That is not possible because those parts are not user-serviceable (they are not socketed and not easy to solder).
Furthermore, hAP ac2 is just a "throwaway device" which users would replace with something like hAP ax2 or hAP ax3 once they find the limits.

pe1chl

It depends on your configuration. And also if you installed the new WiFi driver, which really is too big for this device.
On my hAP ac2 with old driver (wireless) I still have 1028kB free.

pe1chl

Indeed there should be some way to vacuum the database. Remove all deleted records and undo history. When there is not enough space in the flash it can be done using the ramdisk as temporary storage. (of course with the risk that the config may be lost when the power is interrupted at the wrong mome...

pe1chl

Make backup, netinstall 7.17.1 and restore backup.

pe1chl

it certainly is related to the configuration as I have a similar network (IPv6 with different /64 on tagged VLANs) running without issue.
so make a new topic including /export of bridge and ipv6.

pe1chl

And: only values that are actually modified should be set when hitting OK. Those are the blue-colored fields in winbox3. That should also mean that a value that is inherited from a template (and shown in the edit dialog) is not stored when something else in the dialog is changed. Even better would b...

pe1chl

When you have a special need to have a serial number in messages, why don't you add it to the device identity of your devices?
So instead of hAP-test you call it hAP-test-E1548DC8753B

pe1chl

Does a netinstall with keep-configuration flag effectively to the same as an export to file, then reset-configuration with import from that file?
Or is it more like the restore of a backup?

pe1chl

The number after the version string is the "deviceEventClassId" which is supposed to be a unique ID of each message. However, the numbers 10 and 65 are probably not that, it looks like this is still to be implemented... Ok that would be nice for long message that may be splitt to multiple...

pe1chl

Calm down! Let them debug and finish BASIC FUNCTIONALITY in BGP before starting such things...

pe1chl

The number after the version string is the "deviceEventClassId" which is supposed to be a unique ID of each message.
However, the numbers 10 and 65 are probably not that, it looks like this is still to be implemented...

pe1chl

Settings for neighbor discover LLDP are lost on upgrade to 7.18beta2.
E.g.:

/ip neighbor discovery-settings
set discover-interface-list=discover lldp-mac-phy-config=yes \
    lldp-med-net-policy-vlan=16

After upgrade they can be re-applied and still work.

pe1chl

Yes, there is an open ticket. Useless to share it here because you cannot access that anyway.
The ticket was made 23/Jul/24 but unfortunately after the usual "please send supout files when the problem occurs" (and doing that) there was no further progress.

pe1chl

BTW, when you listed default config, your terminal windows wasn't wide enough, some rules were clipped on the right side (the above written one as well). Well, an irritating problem in printing default-configuration is that it does not wrap the lines and the lines are very long. So you need to prin...

pe1chl

Thanks for feedback. There was a chance that route process crashed during "/routing/bgp/advertisements/print". Updated the changelog: *) bgp - improved system stability when printing BGP advertisements; Ok that is nice, but I hope that the other BGP instabilities will also be fixed. At le...

pe1chl

*) bgp - improved stability;

What does it mean exactly? What is the scenario that has been fixed?

pe1chl

The "LAN devices receive adversed IPv6 addresses from all VLANs" is that referring to Windows devices that are on ports with tagged VLANs present?
As that is a Windows bug, has nothing to do with RouterOS.

pe1chl

You can compare the ipv4 firewall....

pe1chl

You can display the defconf using: /system/default-configuration/print

pe1chl

The question is: was the method before the "new method" documented? Probably it was a "known" method, apparently someone was able to write an independent mac-telnet program that worked. And now that no longer works. Still, "security by obscurity" is not a method that i...

pe1chl

We only make changes that improve security of the users, none of those changes are to actively deny 3rd party OSes @normis! So good to see you out and about. I find your reassurances both credible and compelling. Thank you, Well, "improving security of the users" by making changes and the...

pe1chl

I am still hoping for a solution where defconf for the firewall can be applied to an existing router... some command that removes the firewall config and reloads it from defconf, if only as a commandline script. So far none of changes in firewall defconf was ever applied when upgrading ROS. So I do...

pe1chl

But noticed "cloud" or "file-share" are not selectable in device-mode. If the whole of idea was minimizing the attack surface, we're already off to some inconsistency ;). I think device-mode was a knee-jerk reaction to some bad publicity about MikroTik routers being compromised ...

pe1chl

Please make the setting for "inline comments" a 3-state: either not inline (separate line) or inline with the option to have it either at the beginning (as it is now) or at the end of the line (as it is in winbox 3) by default. Of course one can always move it afterwards, but having to do ...

pe1chl

Please add fasttrack ipv6 in defconf Not saying it's not already ... but defconf is only applied when device is reset to factory defaults (where "factory" part is a bit misleading because it's not config applied in factory when manufacturing device, it's config set as default in any parti...

pe1chl

I believe the snmp error about OID not increasing was occurring a few releases back when snmp routes support was first introduced. Rerunning snmpwalk got stuck and eventually timed out, and rerunning it again it returned the same error. This router and others that have had this behavior are being m...

pe1chl

Well, in the solution I use now (as suggested above by sindy) that issue doesn't actually occur, because all the policies are configured as templates and they only become active policies when the peer has connected. I think I now have it working correctly and am working with more knowledgeable users...

pe1chl

I agree, but I also want to stress that loading 4 full tables on an internet border gateway is not the only use-case for BGP.

pe1chl

Ok I have been using RouterOS only from version ~6.29 and I was impressed with how BGP/BFD worked back then. With v7 there initially was the problem of "no BFD" and "buggy filters", but that seems to have been resolved by now. Unfortunately it now longer does its basic function: ...

pe1chl

That may be true, but before they used a standard BGP implementation and Linux routing, and in v7 it was replaced by in-house written code and frankly for me it has only caused trouble. I can understand how they were motivated by things like having a 72-core flagship router utilizing only a single c...

pe1chl

Mikrotik have a significantly larger team of developers working on RouterOS core functionality now than they did in the RouterOS v6 to v7 transition phase Where do you have that info from? Has there been some announcement that I missed? I still get the perception that the number of developers limit...

pe1chl

You will probably have to do your own tests, as it worked for me in 7.15 already... also make sure your client isn't broken, like WinPE is!
(an issue in that version is that it advertises deprecated prefixes as deprecated forever, did not test that with 7.18beta yet)

pe1chl

The problem with device-mode is not that "no router has all features". You can simply enable all features on all your routers. The problem is that it requires physical access to enable a feature, and there is no possibility to enable a feature before you upgrade (and lose access to the fea...

pe1chl

Well, it is usually possible to configure the policy, so that should not really be an issue. W.r.t. the routing: unfortunately it is not that simple. I need to announce the active routes (active IPsec tunnels) on BGP. This server is running in a separate CHR from the core router, and the tunnels can...

pe1chl

On Mikrotik acting as a server, you can have multiple /ip ipsec identity items attached to a single peer with address=::/0 , one per actual peer, that match by any remote-id other than IP address. For each said identity, you define a separate /ip ipsec policy group and set the policy-template-group...

pe1chl

Ok that is good to know, I feared it would be impossible there too because RouterOS probably uses it...

pe1chl

I have to try that solution with a group, but I have already tried to have a single defined peer with multiple identities, and that seemed to work but it breaks down when more than one peer connects at the same time. I will try with the group. Normally we use tunnels (either GRE, GRE/IPsec, or L2TP/...

pe1chl

No it is not practical to register remote locations in DNS. It is for the hobby network, not for the company, and the remote users are of varying skills. What I need is a solution where the remote can configure their router or Raspberry Pi or whatever and then get their subnet IP-tunneled. This is w...

pe1chl

I am trying to setup an IPsec tunnel server that allows remote systems without previously known public IP (or dynamic IP) to connect, and to get a subnet tunneled to them. There may be like 50 remote systems, each with their own fqdn identity and PSK. In the past I got that working using "racoo...

pe1chl

I add dummy lines to the firewall this way:

/ip firewall filter
add action=log chain=-------- comment=-------------

(I use these as separators between different chains)

Search found 12850 matches