Installed for testing on RB5009, wAP ax, L23UGSR-5HaxD2HaxD (upgrade from 7.20)
wifi - added CAPsMAN forwarding support (datapath.traffic-processing=on-capsman) → works, but speed limited to circa 150Mb/s;
wifi-qcom - added Unsolicited BSS Transition Management Request support → needs more testing, but seems to work,
Failures:
For now, IPSec stopped working (IPSec/IKEv2 with local-user manager and Let’sEncrypt certificate), connection is estabilished but no traffic can pass tunnel.
SUP-201086
I cannot get this to work with two hAP ac2, one is CAPsMAN, other is CAP.
Interfaces from CAP appear on CAPsMAN, with message “data channel not supported”.
What I have done is set datapath.bridge=bridge-WAN and datapath.traffic-processing=on-capsman.
Without traffic-processing=on-capsman everything works, of course, as it has been working before.
Yes, I have read previous threads (from a few months ago) about traffic processing in newest wifi not being supported with wifi-qcom-ac driver, but from this announcement I assumed if should be supported now…
Btw, this is my home setup, and I like to play with newest and greatest stuff 
So, you can ping via VRF, using ip@vrf format.
But why downgrade the UX like that?
Piece by piece Winbox becomes more non-intuitive to use.
On the routes the excuse was that some people may have used the dropdown menu to select an interface to set as a gateway which would not work in non-p2p interfaces (which is expected), instead of manually writing the gateway IP.
So because of some users not knowing how gateways work, now we all have to type the Interface names whereas before we could use the dropdown menu to select the interface names.
What’s the excuse for the worse UI in the ping window?
What purpose does it serve to remove the VRF/Interface dropdown menus?
Sure, it’s just an interface name or a vrf name, but where does it end? Routing filters UI is gone, and we have to type essentially code to implement routing filters. (yes I know about the v7.20 filter wizard, but that does not allow you to edit or search, sort, filter the filters list)
Is the end plan for every input to be typed manually and make winbox just a read-only tool?
Hopefully it’s something along the lines of “Unsolicited Optimized Roaming request” where the AP just recommends to move to a better AP instead of sending a deauth based on minimum RSSI. Hopefully more clarification eventually comes out about it. Would be nice to know what to test for.
console - added changelog to /system/package/update/check-for-updates;
While this is great, I believe it makes no sense to display the changelog if i’m already up-to-date:
.
[admin@SoluttiHotspot] [check]> /system/package/update/check-for-updates
channel: testing
installed-version: 7.21beta2
latest-version: 7.21beta2
status: System is already up to date
changelog: What's new in 7.21beta2 (2025-Oct-06 16:06):
*) arm64 - allow enabling receive packet steering on /system/resource/irq/rps menu in order to overcome unbalanced CPU load;
*) bgp - added output.network-blackhole setting;
*) bgp - allow duplicate router-ids for eBGP sessions (RFC-6286);
……….
Considering the below:
Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).
This is kind of mind boggling.
Is IPQ-PPE HW bridge ever comming?
I was on 7.20 and updated to this beta, communication between my rb4011 wifi and hap ax2 seems to take a little longer!
Hello everyone, it is modified in the documentation. bgp - allow duplicate router-ids for eBGP sessions (RFC-6286)
same problems
To return to the stable version, I had to connect and activate the boot from another partition. And there was very little time to do this.
On night version same problems…
ipv6 - allow to specify on which interfaces to accept Router-Advertisements;
ipv6 - do not disable/enable Router-Advertisements functionality based on IPv6/ND configuration;
Nice, both of these seem to be working ok on my RB5009UPr+S+IN. Now I don’t need to have a dummy ND entry active on ether1 to receive my ISP’s RAs!
ipv6 - remove SLAAC installed DNS server and route on expire;
Cool, but now my default route is continually appearing then disappearing again almost immediately:
I suppose it could be some kind of weird interaction between this particular change and the fact that my ISP is continuously spamming me with RAs at a rate of 3 per second? 
However, the router lifetime in their RAs is set at 9000 seconds, so I don’t know why the route would keep disappearing like that…
looks like it does nothing, still have dynamic blackholes for each bgp session when set output.network-blackhole=no
What a laundry list of great work!
Thanks for that!
Great! That had been missing for a long time.
But it does not (yet) include a setting for the web part of user-manager. Maybe it would have to be part of the user-manager settings, but I do not see it there, either.
Unfortunately in the documentation (that has been updated) it says nothing about radar events or channel changes, unsolicited roaming requests seem to cover only low RSSI scenarios.
I can confirm that 7.21beta2 has fixed Web UI reload loop issue introduced in 7.20.
SUP-200627
Thank you Mikrotik for making a start on the MACSEC hardware offload. Look forward to your future products supporting this into the future.
routing/route table will show inactive “bgp-network” route, but there ar enough active blackhole routes and networks are not advertised, if that is what you are referring to.
It would be preferred when blackhole routes are not created in the case where it was set to not output them.
So if I have an internal network, spanning 10.0.0.0/8 (or parts thereof), and I only receive a default route…. You are going to blackhole / null route my network.
This, is a horrible, horrible, horrible idea. Who decides what / when a block must be blackholed, and when not? regional RIRs assign IP blocks on a daily basis… Blackhole prefixes changes, numerious times per day tbh.
What is Mikrotik’s “Definition” of a “blackhole” route?
