v7.12beta [testing] is released!

RouterOS version 7.12beta has been released on the “v7 testing” channel!
Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 7.12beta9 (2023-Sep-25 15:19):
!) ethernet - changed “advertise” and “speed” arguments, and removed “half-duplex” setting under “/interface ethernet” menu;
!) health - removed “temperature” health entry from boards, where it was the same as “sfp-temperature”;
!) sfp - convert configuration to support new link modes for SFP and QSFP type of interfaces;
*) bfd - improved system stability;
*) bgp - fixed “input.filter-chain” argument selection in VPN configuration;
*) bgp - improved logging;
*) bluetooth - added basic support for connecting to BLE peripheral devices;
*) console - export required properties with default values;
*) console - improved system stability;
*) console - restrict permissions to “read,write,reboot,ftp,romon,test” for scripts executed by DHCP, Hotspot, PPP and Traffic-Monitor services;
*) l3hw - fixed IPv6 route suppression;
*) led - fixed “interface-status” configuration for virtual interfaces;
*) lora - added LNS protocol support;
*) lte - changed R11e-LTE ARP behavior to NoArp;
*) lte - fixed sub-interface auto-removal in multiple APN setups;
*) lte - show correct data class when connected to 5G SA network;
*) mqtt - added on-message feature for subscribed topics;
*) mqtt - added parallel-scripts-limit parameter to set maximum allowed number of scripts executed at the same time;
*) mqtt - added wildcard topic subscription support;
*) netinstall - added option to discard branding package;
*) netinstall - display package filename in GUI Descption column if package description is not specified;
*) netinstall-cli - added option to discard branding package;
*) netinstall-cli - allow “.rsc” script filenames;
*) poe-out - driver optimization for AF/AT controlled boards;
*) poe-out - fixed rare CRS328 poe-out menu and poe-out port config loss after reboot;
*) route - added “single-process” configuration setting, enabled by default on devices with 64MB or less RAM memory (CLI only);
*) route - added “suppress-hw-offload” setting for IPv6 routes;
*) route - reverse community “delete” and “filter” command behavior;
*) routerboard - added “reset-button” support for RB800, RB1100 and RB1100AHx2 devices;
*) sfp - fixed 25Gbps link with FEC91 (introduced in v7.12beta7);
*) snmp - changed “mtxrGaugeValue” type to integer;
*) switch - fixed packet forwarding between Ethernet ports for CRS354 switches (introduced in v7.12beta7);
*) webfig - fixed timezone for interface “Last Link Down/Up Time”;
*) wifiwave2 - correctly add interface to specified “datapath.interface-list”;
*) wifiwave2 - fixed re-connection failures for 802.11ax interfaces in station mode;
*) wifiwave2 - limit L2MTU to 1560 until a fix is available for a bug causing interfaces to fail transmitting larger frames than that;
*) wifiwave2 - log more information regarding authentication failures;
*) winbox - added “Host Key Type” setting under “IP/SSH” menu;
*) winbox - added “Key Owner” setting under “System/User/SSH Keys” and “System/User/SSH Private Keys” menus;
*) winbox - added “Remote Min Tx” parameter under “Routing/BFD/Session” menu;
*) winbox - added “Startup Delay” setting under “Tools/Netwatch” menu;
*) winbox - added “Use BFD” setting under “Routing/RIP/Interface-Template” menu;
*) winbox - added MQTT subscription menu;
*) winbox - allow to specify server as DNS name under “Tools/Email” menu;
*) winbox - rename “DSCP” setting to “DSCP (+ECN)” under “Tools/Traffic-Generator/Packet-Templates” menu;
*) winbox - rename “Name” setting to “List” under “IP,IPv6/Firewall/Address-List” menu;
*) winbox - rename “Password” button to “Change Now” under “System/Password” menu;
*) wireguard - added “auto” parameter for “private-key” and “presharde-key” parameters;
*) wireguard - request public or private key to be specified in order to create peer;
*) x86 - igb updated driver to 5.14.16 version;
*) x86 - igbvf updated driver from in-tree Linux kernel;
*) x86 - updated latest available pci.ids;

What’s new in 7.12beta7 (2023-Sep-13 09:58):
!) ethernet - changed “advertise” and “speed” arguments, and removed “half-duplex” setting under “/interface ethernet” menu;
!) sfp - convert configuration to support new link modes for SFP and QSFP type of interfaces;
*) api - fixed fetching objects with warning option from REST API;
*) bgp - implemented IGP metric sending in BGP messages;
*) bluetooth - use “g” units when decoding MikroTik beacon acceleration on peripheral devices menu;
*) certificate - allow to remove issued certificates when CRL is not used;
*) certificate - fixed certificate auto renewal via SCEP;
*) chr - iavf updated driver to 4.9.1 version;
*) console - improved randomness for “:rndstr” and “:rndnum” commands;
*) console - improved stability when using “special-login”;
*) console - improved system stability through RoMON session;
*) console - improved system stability when using autocomplete;
*) dhcp - fixed DHCP server “authoritative” and “delay-threshold” settings (introduced in v7.12beta3);
*) ike2 - improved rekey collision handling;
*) ipsec - fixed Diffie-Hellman public value encoding size;
*) ipsec - fixed minor typo in logs;
*) ipsec - reduce disk writes when started without active configuration;
*) ipv6 - send RA and RA deprecate messages out three times instead of just once;
*) l3hw - improved system stability during IPv6 route offloading;
*) leds - added “dark-mode” functionality for RBwAPG-5HacD2HnD;
*) leds - added “wireless-status” and “wireless-signal-strength” configuration types for wifiwave2 interfaces;
*) log - improved logging for user actions;
*) lte - fixed 5G data-class reporting for Chateau 5G;
*) lte - fixed APN authentification in multi APN setup for R11e-LTE6;
*) lte - fixed IPv6 prefix for MBIM modems in multi-apn setup when IPv6 APN used as not first APN;
*) lte - fixed RSSI for FG621-EA modem to show the correct value;
*) lte - fixed startup race condition when SIM card is in “up” slot for LtAP mini;
*) mpls - improved FastPath next-hop selection hash algorithm;
*) netinstall-cli - added empty configuration option “-e”;
*) netwatch - decreased “thr-tcp-conn-time” maximum limit to 30 seconds;
*) ovpn - improved system stability;
*) pimsm - improved system stability;
*) qsfp - added 50Gbps rate support for QSFP28 interfaces;
*) qsfp - fixed sub-interface EEPROM monitor data output (introduced in v7.12beta3);
*) qsfp - improved auto link detection for 100G CWDM4 modules and AOC cables (introduced in v7.12beta3);
*) qsfp - use sub-interface configuration for establishing link (for 40Gbps and 100Gbps links, all sub-interfaces must be enabled);
*) routerboard - added “reset-button” support for RB800 and RB1100 devices;
*) ssh - improved connection stability when pasting large chunks of text into console;
*) supout - added interface list members section;
*) switch - improved resource allocation for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) traffic-generator - fixed traffic-generator on CHR and x86;
*) usb - added support for RTL8153 USB ethernet on ARM, ARM64 and x86;
*) vrf - limit maximum VRFs to 1024;
*) vxlan - improved system stability for Tile devices;
*) webfig - fixed “Days” property configuration change under “IP/Firewall” menu;
*) webfig - fixed timezone for interface “Last Link Down/Up Time”;
*) webfig - improved Webfig performance and responsiveness;
*) webfig - try to re-establish connection after disconnect;
*) wifiwave2 - added an alternative QoS priority assignment mechanism based on IP DSCP (CLI only);
*) wifiwave2 - added station-bridge interface mode (CLI only);
*) wifiwave2 - do not show default “l2mtu” on compact export;
*) wifiwave2 - fixed PTK renewal for interfaces in station mode;
*) wifiwave2 - fixed sniffer command not receiving any QoS null function frames when using 802.11ax radios;
*) wifiwave2 - fixed untagged VLAN 1 entry when using “vlan-id” setting together with vlan-filtering bridge;
*) wifiwave2 - fixed warning on CAP devices when radar detected;
*) wifiwave2 - implemented an option to transmit IP multicast packets as unicasts (CLI only);
*) wifiwave2 - improved compliance with regulatory requirements;
*) wifiwave2 - make 4-way handshake procedure more robust when acting as supplicant (client);
*) winbox - added “Comment” under “Routing/BFD/Configuration” menu;
*) winbox - added “g” flag under “IPv6/Routes” menu;
*) winbox - added “Name Format” property under “WifiWave2/Provisioning” menu;
*) winbox - changed “MBR Partition Table” checkbox to unchecked by default under “System/Disks/Format-Drive” menu;
*) winbox - fixed “Address” property under “WifiWave2/Remote-CAP” menu;
*) winbox - fixed “Group Key Update” maximum value under “WifiWave2/Security” menu;
*) winbox - fixed entry numbering and ordering under “WifiWave2/Provisioning” menu;
*) winbox - fixed minor typos;
*) wireguard - allow to specify client settings under peer menu which will be included in configuration file and QR code;
*) wireguard - generate Wireguard peer keys and preshared-key automatically, if value is specified but is not base64 string;
*) wireguard - removed “wg-add-client” configuration wizard (introduced in v7.12beta3);
*) wireless - added more “radius-mac-format” options (CLI only);
*) www - fixed allowed address setting for REST API users;
*) www - fixed fragmented POST data for SCEP service;
*) x86 - i40e updated driver to 2.23.17 version;
*) x86 - igc updated driver to 5.10.194 version;
*) x86 - ixgbe updated driver to 5.19.6 version;
*) x86 - Realtek r8169 updated driver;

What’s new in 7.12beta3 (2023-Aug-24 12:15):
!) ethernet - changed “advertise” and “speed” arguments, and removed “half-duplex” setting under “/interface ethernet” menu;
!) sfp - convert configuration to support new link modes for SFP and QSFP type of interfaces;
*) bgp - fixed “atomic-aggregate” always set in output;
*) bgp - fixed local and remote port settings for BGP connections;
*) bgp - increase “hold-time” limit to 65000;
*) bridge - fixed fast-path forwarding with HW offloaded vlan-filtering (introduced in v7.11);
*) bridge - fixed untagged VLAN entry disable;
*) bridge - fixed vlan-filtering stability with HW and non-HW offloaded ports (introduced in v7.10);
*) bridge - improved vlan-filtering bridge stability with CAPsMAN (introduced in v7.11);
*) bth - added “Back To Home” VPN service for ARM, ARM64, and TILE devices;
*) calea - improved system stability when trying to add rules without the CALEA package;
*) console - added “transform” property for “:convert” command;
*) console - fixed scheduler “on-event” script highlighting when editing;
*) console - improved multi-argument property parsing into array;
*) console - improved stability when editing long scripts;
*) console - show full date and time in scheduler “next-run” property;
*) dhcp - fixed DHCP server and relay related response delays;
*) ethernet - added “supported” and “sfp-supported” values for “monitor” command;
*) interface - added “macvlan” interface support;
*) ipsec - fixed IPSec policy when using modp3072;
*) ipv6 - fixed IPv6 RA delay time from 5s to 500ms according to RFC;
*) ipv6 - send RA and RA deprecate messages out three times instead of just once;
*) log - improved logging for user actions;
*) lte - added at-chat support and increased wait time on modem at-chat for Dell DW5821e, DW5821e-eSIM, DW5829e and DW5829e-eSIM;
*) lte - added SINR reporting for FG621-EA modem;
*) lte - fixed Sierra modem detection for modems with vendor-specific USB descriptors;
*) lte - fixed startup race condition when SIM card is in “up” slot for LtAP mini;
*) netinstall-cli - prioritise interface option over address option;
*) ospf - fixed adding ECMP routes;
*) ospf - fixed OSPFv3 not working with NSSA areas;
*) ospf - fixed parsing of opaque LSAs used by TE;
*) ospf - fixed translated NSSA routes not showing in backbone;
*) port - add support for Huawei MS237h-517;
*) port - expose NMEA/DIAG ports for Dell DW5821e and DW5821e-eSIM;
*) quickset - fixed “LAN” interface list members if configuration does not contain bridge;
*) rip - added BFD support;
*) rip - fixed session not working in VRF;
*) route - fixed gateway after link restart;
*) route - removed deprecated “received-from” property;
*) sfp - improved interface stability for SFP and QSFP types of interfaces;
*) switch - improved switch chip stability for CCR2004-16g-2s+ devices;
*) tile - improved system stability when using queues;
*) traffic-generator - added “priority” property for “inject” command;
*) wifiwave2 - added comment property for registration-table;
*) wifiwave2 - enable changing interface MTU and L2MTU;
*) wifiwave2 - fixed malformed Interworking packet elements;
*) winbox - allow to set multiple addresses and added IPv6 support under “Interface/VETH” menu;
*) wireguard - added “wg-add-client” configuration wizard (CLI only);
*) wireguard - added “wg-export” and “wg-import” functionality (CLI only);
*) wireless - fixed malformed Interworking packet elements;
*) x86 - added support for Mellanox ConnectX-6 Dx NIC;

What’s new in 7.12beta1 (2023-Aug-15 16:14):
*) bgp - fixed typos and missing spaces in log messages;
*) bridge - improved system stability;
*) bth - added “Back To Home” VPN service for ARM, ARM64, and TILE devices;
*) certificate - allow to get and maintain Let’s Encrypt certificate in IPv6 environment;
*) certificate - fixed “subject-alt-name” duplicating itself when SCEP is used;
*) certificate - improved certificate validation logging error messages;
*) certificate - log CRL HTTP errors under the “error” logging topic;
*) chr - increased OVA default RAM amount from 160MB to 256MB;
*) console - added “:jobname” command;
*) console - added “as-string” and “as-string-value” properties for “get” command;
*) console - added “terminal/ask” command;
*) console - improved “:totime” and “:tonum” commands and added “:tonsec” command for time value manipulation;
*) console - improved stability and responsiveness;
*) console - improved stability when using “special-login”;
*) firewall - added “ein-snat” and “ein-dnat” connection NAT state matchers for filter and mangle rules;
*) ike1 - log an error when non-RSA keys are being used;
*) iot - fixed an issue where applying a script to GPIO pin caused GPIO to stop working;
*) iot - fixed behavior where GPIO output state would change on boot;
*) lte - fixed Sierra modem initialization;
*) lte - use more compact logging messages;
*) modbus - added additional security settings for Modbus TCP;
*) mpls - added option to match and set MPLS EXP with bridge and mangle rules;
*) mpls - fixed “propagate-ttl=no” setting;
*) netinstall - added option to discard branding package;
*) ospf - fixed BFD on virtual-link with configured VRF;
*) ovpn - added “tls-auth” option support for imported .ovpn profiles;
*) sfp - fixed missing “rx-power” monitor with certain modules (introduced in v7.10);
*) ssh - added support for user ed25519 public keys;
*) ssh - allow to specify key owner on import;
*) ssh - fixed SSH tunnel performance (introduced in v7.10);
*) supout - added LLDP power to supout.rif;
*) supout - fixed BFD section;
*) system - improved system stability when MD5 checksums are used;
*) tile - improved system stability when using IPv6 queues;
*) wifiwave2 - list APs with a higher maximum data rate as more preferable roaming candidates;
*) winbox - allow to change port numbers for SCTP, DCCP, and UDP-LITE protocols under “IP/Firewall” menus;

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Changelog edit:

• changed from “:tosec” to “:tonsec”.

*) firewall - added “ein-snat” and “ein-dnat” connection NAT state matchers for filter and mangle rules

Any info/docs on ein-dnat and ein-snat?

Is this the same as 7.12alpha74 ?

ovpn - added "tls-auth" option support for imported .ovpn profiles;
mpls - added option to match and set MPLS EXP with bridge and mangle rules;

been waiting this for a couple of years now

Any info/docs for this? We want to test as soon as possible.

How are you able to “match” MPLS EXP for incoming packets with mangle rules when MPLS packets bypass the firewall - are these packets no longer bypassing the firewall?

EDIT: I just upgraded my home device to this new version and I’m not seeing these new options at the moment in the CLI.

The behavior is the same as in v6 - when an MPLS packet is received, EXP bits are copied to the ingress-priority field and can be matched where ingress-priority matching is available (e.g. bridge or ip firewall). MPLS forwarding process does not traverse any firewalls, so matching can only be done on MPLS egress routers.

Note that MPLS forwarding implicitly performs copying of ingress-priority to priority (as if MPLS had some firewall with one rule that did action=set-priority new-priority=from-ingress for all packets). This way when MPLS switched packet is sent out over the wifi link, WMM AC will be chosen based on MPLS EXP bits.

Thanks for the details. Yes, I am familiar with the entire ingress-priority and priority process and the automatic copying from v6, but the wording of the change made it sound like it was implemented differently using a separate matcher for EXP instead of being folded under ingress-priority and priority like in v6.

On v6 it also works (even though an unsupported configuration) to have a bridge filter matching ingress-priority for a packet that comes from another router, as long as MPLS fast path is turned off. For example, for a packet going from router [ PE1 ] to [ P1 ] to [ P2 ] to (whatever):

[ PE1 ] ---- (packet with MPLS exp bits) ----> [ P1 regular ethernet interface → P1 bridge with queue trees and output-chain bridge filter marking packet based on ingress-priority from MPLS EXP bits → bridge port on ethernet interface ] → [ P2 ] → etc.

ex. on the P1 router, on the interface the packet comes in from (facing PE1) it is just a regular ethernet interface, then the packet goes to a single-port bridge with bridge filters (output chain) marking the packet based on ingress priority, and then it passes through the heirarchy of queue trees and goes out the single bridge port, the other ethernet interface going to router P2. It passes through the proper queue tree based on the MPLS EXP value of the incoming packet. Thus it is possible to do priority queueing of MPLS traffic on v6 through this unsupported config, and we’ve been doing this for years now.

That setup is unsupported on v6 but works, I’d like to make sure it still works on v7. (The part that is unsupported on v6 is that it is not supposed to be possible to read ingress-priority in an output-chain bridge filter for a packet that arrived through other means, such as an interface that is not on the bridge - the “P1 regular ethernet interface” in my example above)

@Larsa: Endpoint-Independent NAT: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=3211299#NAT-Endpoint-IndependentNAT

Very good for these:

*) certificate - allow to get and maintain Let’s Encrypt certificate in IPv6 environment;
*) ssh - added support for user ed25519 public keys;

wait for ed25519 private key support。

No IS-IS, no 6VPE. The wait continues…

ovpn - added "tls-auth" option support for imported .ovpn profiles;

Great work!

I’m getting the following error messages in log, but the connection seems to work.
Can anyone please comment if they are essential?

unsupported configuration parameter ‘ns-cert-type server’
unsupported configuration parameter ‘setenv CLIENT_CERT 0’

Thanks! Care to give a brief usage example?

ssh - added support for user ed25519 public keys;

Thanks. Been waiting for long.

Endpoint-Independent NAT
all world call it Full Cone NAT

*) ssh - added support for user ed25519 public keys;

Great to see this one!
I use my openpgp key based on ed25519 on my Yubikey for SSH logins.

I have some more feature requests regarding encryption topics

Since RouterOS 7.7 we can use diffie-hellmann group 31:
*) ike2 - added support for DH Group 31 (EC25519) (CLI only);

But the support is just implemented in ike2 / phase-1, could you please also bring this to ipsec / phase-2?
Is your crypto stack already able to support DH-32 (Curve448)? This would also be a great addition.

@Larsa: sry, I did not try it yet, I have seen the strange terminology and it made me curious.
I think it is the same as the thing called in RFCs EIM NAT (Endpoint-Independent Mapping).
AFAIK this is relevant for UDP NAT Traversal (STUN) for SIP (RTP, voice calls).
Here is more info: https://wiki.unify.com/wiki/Network_Configuration_for_VoIP_Providers
Maybe other P2P Protocols need it as well.

@Mikrotik, maybe the misleading ein-nat should be changed to eim-nat ? Maybe I got it wrong and this is the Mikrotik special EIN NAT ™ ?

Okay, we simply have to wait for a clarification from MikroTik when they decide to update the online manual..

Feature request: implement matching on packet-priority in queue tree child items, as an alternative to the present matching on packet-mark.
OR: implement multiple packet-marks per packet (e.g. via some new construct of “packet mark groups” to preserve backward compatibility)

Reason: as it is now, you can use packet marks only for a single purpose. When you decide to use them for priority and queueing, you cannot use them for another purpose anymore.

Ask and ye shall receive…

:put [/terminal/ask "Is there going to be BTH for xMIPSx?"]

Minor issue: the F1 help implies there is a sensitive=, but it’s not in the command completion.