v7.19beta [testing] is released!

RouterOS version 7.19beta has been released on the “v7 testing” channel!
Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 7.19beta8 (2025-Apr-04 13:24):
*) certificate - fixed cloud-dns challenge validation for sn.mynetname.net (CLI only);
*) device-mode - added new “rose” mode where “container” feature is enabled by default;
*) fetch - fixed false successful messages in FTP mode;
*) ipsec - lower standalone cipher, hash priority when using ctr aead;
*) log - fixed remote logging after reboot when hostname is forwarded to a DNS server;
*) lte - fixed LTE status update or possible crash when modem is unexpectedly removed from system;
*) netinstall-cli - check for other running Netinstall servers on startup;
*) ptp - allow multiple instances;
*) sfp - improved QSFP link stability for CRS354 devices;
*) system - fixed “/system reboot” when the system disk is completely full;

What’s new in 7.19beta7 (2025-Mar-31 10:55):
*) bgp - fixed excessive CPU usage;
*) bridge - properly flush bridge hosts when bonding is used as bridge port and loses hw-offloading status;
*) ike2 - improved initial key exchange process on slow or unreliable connections;
*) ippool6 - properly free IPv6 pool used prefix when it is not used any more;
*) isis - properly validate 3-way hello handshake;
*) ipv6 - fixed EUI-64 false error message on address update when “from-pool” option is used;
*) lte - fixed initialization for R11e-LTE6 modem;
*) lte - fixed initialization for Neoway N75 modem;
*) lte - reset internal link-recovery-timer on sim slot change;
*) netinstall - improved network socket re-opening when NIC status changes while running the server (additional fixes);
*) rose-storage - added Btrfs disk balance command (CLI only);
*) rose-storage - fixed mounting Btrfs subvolumes using macOS SMB client;
*) route-filter - fixed the “blackhole” option setting process;
*) system - improved system stability when sending TCP data from the router;
*) webfig - fixed graphs appearance under “Tools/Graphing” menu (introduced in 7.19beta2);
*) wifi - improved wifi connection stability when used as a station for “b” mode access point;
*) wifi - use at least TLS 1.2 for securing connection between CAPsMAN manager and CAPs (additional fixes);

What’s new in 7.19beta6 (2025-Mar-19 09:56):
*) bridge - fixed issue when local MACs were removed unnecessarily;
*) bridge - offload VXLAN only if another HW offloaded port exists in the bridge;
*) dhcp-server - improved stability when dual stack is used and one of the servers is removed (introduced in v7.19beta2);
*) dhcpv4/v6-client - fixed default route when DHCP client interface is in VRF;
*) dhcpv6-server - allow unsetting prefix-pool for static bindings and show warning if prefix is not in selected prefix-pool;
*) file - fixed missing files from The Dude (introduced in v7.18);
*) lte - Chateau 5G R16 fix DHCP relay packet forwarding using LTE interface;
*) net - remove support for automatic multicast tunneling (AMT) interface (introduced in v7.18);
*) netinstall-cli - clear old configuration before user script using “-s”;
*) ovpn - properly match GCM hardware acceleration capabilities (introduced in v7.17);
*) route - improve stability on BGP reconnect;
*) x86 - remove unnecessary console output on shutdown;

What’s new in 7.19beta5 (2025-Mar-12 12:42):
*) certificate - added built-in root certificate authorities store (additional fixes);
*) console - fixed issue with file-name completion (introduced in v7.18);
*) container - fixed repository name handling to prevent redirect issues when basic authentication is used;
*) dhcpv4-client/server - added support for DHCPv4 reconfigure messages;
*) dhcpv6-server - change static binding bound status to waiting on server disable;
*) dhcpv6-server - improved stability when disabled server have static bindings;
*) firewall - fixed IP/Settings “ipv4-fasttrack-active” status showing as inactive when it is active;
*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);
*) wifi - fixed incorrect attribution of 802.11be capability to 802.11ax APs in output of scan command (introduced in v7.19beta2);
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);
*) wifi - improved stability for wifi interfaces;

What’s new in 7.19beta4 (2025-Mar-06 14:10):
*) bridge - fixed dhcp-snooping in QinQ setups (additional fixes);
*) console - added on-error to “for” and “foreach” loops;
*) console - added proplist to monitor command;
*) console - do not treat return values as errors in scripts run from scheduler;
*) console - enabled verbose error logging for non-scripted/non-verbose imports;
*) console - improve time value handling;
*) console - validate script arguments (do, on-error, etc.) and reject invalid values;
*) dhcpv4-server - “Relay-Agent-Information” (82) option moved at the end of option list in response packets;
*) file - added show-hidden parameter to /file/print, allowing referencing and deleting hidden files;
*) hotspot - improvements to memory usage;
*) lte - additional fixes for eSIM management support;
*) lte - AT modems, improved redialing when modem lost connectivity without notifying host about APN status change;
*) lte - initial support for user settable modem redial timer;
*) netinstall - fixed issue with launching the app (introduced in v7.19beta2);
*) netinstall - provide warning if memory on installed router is full after installation;
*) ospf - fixed “mismatch” typo in logs;
*) port - added support for Huawei E3372-325 variant (vendor-id=“0x3566” device-id=“0x2001”);
*) port - added USB mode switch support for “huawei-alt-mode”;
*) port - improvements to KNOT BG77 modem port channel handling;
*) rose-storage - show btrfs balance and scrub errors if any;
*) torch - improved data reporting;
*) wifi - display error when trying to run snooper on interface which does not support wireless packet capture (sniffer);
*) wifi - fix possible snooper crash when parsing frames with malformed headers;
*) wifi - implement WPA2 PSK authentication with key derivation using SHA256 (CLI only);
*) wifi - improve parsing of captured frames which have nested flags in radiotap header;
*) wifi-qcom - fix OWE authentication for 802.11ac interfaces in station mode;
*) winbox - added comment under “User Manager/Routers” menu;
*) winbox - added netmask support for switch rule Src/Dst IPv6 Address settings;
*) winbox - fixed “Multi Passphrase Group” setting for wifi;
*) x86 - i40e updated driver to 2.27.8 version;

What’s new in 7.19beta2 (2025-Feb-28 08:58):
*) arp - added warning, when “Published” ARP entry used on an interface with “reply-only” ARP mode enabled;
*) bgp - added input.filter-community;
*) bgp - fixed input.accept-community;
*) bgp - fixed memory leak on receiving notify and closing session;
*) bgp - improved performance on BGP input;
*) bonding - added setting for LACP active/passive modes;
*) bridge - added new STP monitoring fields for bridge and ports (Tx/Rx BPDU, Tx/Rx TC, forward/discard transitions, last topology change, message-age, max-age, remaining-hops, bridge-id);
*) bridge - fixed bridge port hang when using invalid port IDs;
*) bridge - fixed dhcp-snooping in QinQ setups;
*) bridge - fixed minor memory leak on link down;
*) bridge - fixed multicast packet flow on hardware offloaded bridge which acts as “multicast-router”;
*) bridge - improved default bridge and port layout on console and GUI;
*) bridge - improved stability in case of configuration error (introduced in v7.15);
*) bridge - moved “TCHANGE” logs from bridge,stp to bridge,stp,debug;
*) bridge - rename “ports” to “interface” under MDB table for configuration consistency with other menus;
*) bridge - renamed STP monitor fields (port-number to port-id, designated-port-number to designated-port-id, designated-bridge to designated-bridge-id);
) bridge - show designated- monitor field for all port roles;
*) bridge - show warning instead of causing error when using multicast MAC as admin-mac (introduced in v7.17);
*) capsman - fixed “undo” command for cap interfaces;
*) certificate - added built-in root certificate authorities store;
*) certificate - do not include CA identity in SCEP POST requests;
*) certificate - improve error message when trying to use certificate;
*) certificate - optimize trust store;
*) cloud - fixed issues when BTH is toggled fast between enable/disable;
*) cloud - improved “BTH Files” web page design;
*) console - disallow incomplete double-quoted arguments (allows multiline string pasting);
*) console - fixed issue with files when using scripts (introduced in v7.18);
*) console - fixed misaligned multiline in brief print mode;
*) console - improved file add/remove process stability;
*) console - set “/system/note show-at-login=yes” the default value after configuration reset;
*) container - allow changing container name;
*) container - try to derive a user readable container name from remote image or file;
*) dhcpv4 - improved outgoing packet logging;
*) dhcpv4-server - accept packets with htype 6;
*) dhcpv4/v6-client - added check-gateway parameter;
*) dhcpv6-client - allow selecting to which routing tables add default route;
*) dhcpv6-relay - clear saved routes on DHCP release;
*) dhcpv6-relay - show client address;
*) dhcpv6-server - change bound status to waiting on binding disable;
*) dhcpv6-server - fix when expired static binding is declined with false “binding belogs to another server” reason;
*) dhcpv6-server - improved stability when disabling server with active bindings;
*) disk - add “sector-size” property in print detail;
*) disk - add reset-counters to /disk btrfs filesystem;
*) dlna - improved folder indexing behavior;
*) dns - improved DNS server service stability;
*) dot1x - fixed dynamic switch ACL rules on boards with a lot of ports (e.g. CRS520);
*) ethernet - improved Ethernet and PoE port mapping to ensure a consistent and reliable interface order;
*) file - improved responsiveness on slow filesystems;
*) firewall - always show “passthrough” when exporting mangle table;
*) firewall - detect VRF addresses as local;
*) health - hide settings in CLI if there is nothing to show;
*) health - improved performance on devices with simple voltage sensors;
*) igmp-proxy - do not try to send leave message for multicast groups that the device itself has joined on the upstream interface (cosmetic fix for proxy error logs);
*) iot - improvement to lora dev-addr-validation behavior;
*) iot - improvement to lora join eui/net id filtering behavior;
*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;
*) ipv6 - avoid watchdog reboot due to link-local IPv6 address reconfiguration on thousand of interfaces at once;
*) l2tp-ether - improved stability when trying to connect to disabled L2TP server with IPsec;
*) l3hw - remove VLAN tag before VXLAN encapsulation (fixes pvid behavior for bridged VXLAN);
*) log - added additional CEF fields from firewall and login logs;
*) log - populate in/out fields in firewall CEF logs with correct data;
*) lte - added UICC parameter in LTE monitor for R11e-4G modem;
*) lte - fixed modem recovery after firmware upgrade for R11e-LTE modem;
*) lte - fixed Router Advertisement processing issue for AT modems when an APN with “ip-type=ipv6” was configured;
*) lte - improved dialer for EC200A-EU modem;
*) lte - set apn profile name the same as apn if no name specified when creating the profile;
*) netinstall - improved network socket re-opening when NIC status changes while running the server;
*) netinstall - show warning when network configuration on PC might not be appropriate for installation;
*) netinstall-cli - fixed issue with applying the branding package;
*) ovpn - disable hardware accelerator for GCM on MMIPS CPUs (introduced in v7.18);
*) ovpn-server - do not reset active connections when changing comment or name;
*) pimsm - fixed issue where own query caused querier detection;
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) ppc - fixed VLAN TCP packet transmit on PPC devices;
*) profiler - improved process classification;
*) ptp - added “ptp” logging topic;
*) quickset - improved system stability;
*) rose-storage - fixes for btrfs;
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;
*) route - fixed stuck output when calling prints from multiple routing menus;
*) route - make AFI naming consistent;
*) route - show BGP session name instead of cache-id;
*) route-filter - improved performance;
*) sfp - added sfp-encoding data output from EEPROM;
*) sniffer - add max-packet-size (2k-64k) setting to be able to sniffer more than 2k data per packet;
*) ssh - fixed authorization with SSH key when multiple user SSH public keys are imported;
*) ssl/tls - respond with more precise alert error messages;
*) ssl/tls - send certificate authority in Certificate message even if it is not trusted;
*) switch - do not count rx-too-long multiple times on 100Gbps QSFP28;
*) switch - fixed egress mirroring for packets coming from external CPU port (e.g. CRS520, CCR2216, CCR2116);
*) switch - flush CPU port FDB entries on switch disable;
*) switch - improve rate limit accuracy for MT7531, MT7621, EN7562CT;
*) switch - improved boot stability on devices with Alpine CPU and switch chip;
*) switch - improved stability when enabling IGMP snooping with VXLAN (introduced in v7.18);
*) system - improved internal “flash/” prefix handling for different file path related settings;
*) webfig - allow table column resize over side toolbar;
*) webfig - don’t reorder rows when selecting header cells with Alt+click;
*) webfig - show IPv6 firewall connections;
*) webfig - show missing data in “IP/DNS/Cache” records;
*) wifi - add channel.reselect-time parameter which allows to perform channel re-sellection at given time of day (CLI only);
*) wifi - add information on CAP uptime and connection uptime in “Remote CAP” list;
*) wifi - added “eap-identity” to registration table;
*) wifi - added SSID to logs;
*) wifi - fix authentication of clients which omit some RSN information at association;
*) wifi - fix incorrect info about current channel for station interfaces after AP has switched channel (introduced in v7.17);
*) wifi - re-word log entries about disconnections which are likely caused by peer using a wrong passphrase;
*) wifi - use at least TLS 1.2 for securing connection between CAPsMAN manager and CAPs;
*) wifi-qcom - fix inability of interfaces in station mode to connect if they do not support full bandwidth of AP;
*) winbox - added “MAC Telnet” under “Wifi/Registration” menu;
*) winbox - added “Multi Passphrase Group” for wifi;
*) winbox - added “Reset MAC address” for legacy wireless and wifi;
*) winbox - added country to wireless setup-repeater;
*) winbox - changed default wireless wds-cost-range values;
*) winbox - do not show not relevant values for certificate template;
*) winbox - fixed missing SMB client on non-ROSE devices;
*) winbox - fixed switch menu for Chateau 5G;
*) winbox - improve graphing efficiency when communicating with WinBox;
*) wireguard - add wg-import config-string parameter to import config directly from terminal;
*) wireguard - update peer info on “get” command;
*) wireless - added “eap-identity” to registration table;
*) wireless - implement handling of RADIUS disconnect messages by CAPsMAN;
*) wireless - suggest all legitimate frequencies for interfaces with 20/40mhz-XX channel width in GUI;
*) x86 - added support for Emulex NIC;

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

*) dns - improved DNS server service stability;
Can you elaborate please

In general, “improved stability” usually means that they’ve fixed a bug that used to cause a crash.

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup!
only one extra package is installed (wifi-qcom-ac).
Free space decreased by 80kb with this update.

*) wireless - added “eap-identity” to registration table;

Wasn’t this already in the legacy drivers?

Or was it only seen under CAPsMAN tab? I’m not sure now

Similarly two questions
What do the following mean.
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;
and
*) cloud - changed asset CDN URL for “BTH Files”;

Some weirdness while using OpenVPN GCM (lots of decrypt errors and massive packet losses) that completely goes away just by changing GCM to CBC are still present on v7.19b2, just tested it on a RB4011 (ARM platform) router.

Report for v7.18 (unchanged on v7.19b2)
http://forum.mikrotik.com/t/v7-18-2-stable-is-released/182200/1

UPDATE1: Also tested with a RB750Gr3 (MMIPS) router, and could NOT reproduce the problems. Everything works just fine no matter using CBC or GCM
UPDATE2: Also tested with a RB2011 (MIPSBE) router, and could NOT reproduce the problems. Everything works just fine no matter using CBC or GCM

Among the CPU platforms I can test on, this behavior seems to be ARM isolated.

*) dhcpv6-client - allow selecting to which routing tables add default route;

Great, step 2 after this new feature was already changed in 7.18(beta, rc) for the dhcp-v4-client !!
The last step will be to implement this in the PPPoE-Client as well
Maybe in a 7.19beta3??

For my part, neither netinstall or netinstall64 works with this version, the application doesn’t start.

I don’t have any problems with netinstall 7.18, 7.6, and other versions, it seems 7.19beta2-related, maybe :

“*) netinstall - improved network socket re-opening when NIC status changes while running the server;
*) netinstall - show warning when network configuration on PC might not be appropriate for installation;”

I have Win10 64 bits with last software updates.

Can, please, be explained this:
*) bridge - improved stability in case of configuration error (introduced in v7.15);

To add default IPv6 FastTrack when updating from ANY v7 previous version, just paste this into the terminal
(barring arbitrary changes to the default configuration already made).
New devices netinstalled with default 7.18beta4 config and later, or reset with default configuration on 7.18beta4 and later, have already the rule.
{
/ipv6 fire filter
remove [find where comment=“defconf: fasttrack6”]
add chain=forward action=fasttrack-connection connection-state=established,related comment=“defconf: fasttrack6”
:local idone [find where comment=“defconf: fasttrack6”]
:local idtwo [find where comment=“defconf: accept established,related,untracked” and chain=forward]
:put $idone
:put $idtwo
move $idone destination=$idtwo
}
For full default firewall rules:
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/25

This is very handy

ip-service - show all TCP/UDP connections on the system;
ip-service - show all TCP/UDP ports on system, including ports in containers;
route - added options to set dynamic-in and connected-in chains in /routing/settings;

This is very buggy and slow

[rchan@Home] > /routing/settings/set dynamic-in-chain="dynamic-in"
[rchan@Home] > /routing filter rule
add chain=dynamic-in disabled=no rule="set comment \"test\"; accept;"

at least the intention is clear to resurrect the old dynamic-in & connected-in that we have in v6

You are not supposed to save your backup in flash memory! That normally is useless anyway.
Make your backup in the RAMdisk (i.e. in the root directory on those 16MB devices), and then download it to your computer.

*) bridge - improved stability in case of configuration error (introduced in v7.15);

Is this related to spikes in CPU due to “mvpp2” and “management” processes in any way? Or is it something else unrelated?

Routing is getting from bad to worse with each version.

70% total CPU usage (across 4 CPU cores) by “routing” process, right after upgrading to 7.19b2.
Router (RB4011) has 8 BGP peers, and ~3000 routes and practically zero traffic (1-2mbps).

> /system/resource/cpu/print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  71%   1%   0%  
1  cpu1  76%   0%   0%  
2  cpu2  76%   1%   0%  
3  cpu3  85%   1%   0%

> /tool/profile duration=10 cpu=total 
Columns: NAME, USAGE
NAME                 USAGE
networking           3.6% 
management           4.2% 
winbox               0%   
ethernet             0.3% 
logging              0%   
console              0.6% 
crypto               0%   
routing              69.6%
queuing              0.2% 
firewall             0.1% 
profiling            0%   
kernel               0.8% 
chacha_neon          0%   
poly1305_arm         0%   
libchacha20poly1305  0%   
8021q                0%   
total                79.4%

*) dhcpv4/v6-client - added check-gateway parameter;

Can we also get ability to specify address-list to which IP address will be added once client is bound? It would greatly simplify NAT rules with dual-WAN setups when hairpin mangling is required.

So many moves on Bridging, Switching, ARP, and other very fundamental layers.
I think(I hope) this can be happening for a good reason!

Compared to other vendors and even to the standards, the bridge implementations, the nomenclature, and etc, were so weird!

My guess is that they had to recognize the weirdness of their implementation of Bridge when they started to work on EVPN and go deeper on SDK of hardware offload. The terminology didn’t fit!

I have the impression that someone there did a flip-table and said:
“Enough! I’m not going to break another thing to fit with this mess! Either fix this mess in Bridges or I’m done with this!”

Assuming my guess is correct, I think good things are coming.
But I’m willing to bet that a lot of things will break. Let’s wait and see.

Wow, awesome what you can read between the lines.

The naming of things and how bridges in RouterOS are implemented aligns with how the Linux kernel bridge implementation does things.
That’s the most likely explanation from my perspective. In the past, you could always see Linux kernel peculiarities shine through in RouterOS interfaces.
With stronger integration of vendor SDKs, as you mentioned, it looks like they’re making everything a bit more independent from the lower layer implementation details.

[admin@test] > /routing/bgp/connection/print where afi=
ip     ipv6     l2vpn     l2vpn-cisco     vpnv4     vpnv6   
[admin@test] > /routing/route/find where afi=          
bad     ip     ipv6     l2vpn     l2vpn-cisco     l2vpn-link     link     mip4     mip6     vpnv4     vpnv6

Viva! Hurrah!
They listened…
Thank you!