V7.22rc [testing] is released!

Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.22rc4 (2026-Mar-04 15:06):

• app - added jupyter-notebook, livebook, myip, and rustfs apps (additional fixes);
• app - added support for custom apps (additional fixes);
• app - do not show duplicate entries of required-mounts;
• app - fixed elasticsearch, element, pmacct-netflow apps failing to start (additional fixes);
• bgp-vpn - allow modifying scopes with routing filters;
• bgp-vpn - use target scope for imported route;
• netinstall-cli - fixed empty configuration option (introduced in v7.22rc3);
• ospf - fixed typos in log messages;
• route - added SLAAC route redistribution for IPv6 capable routing protocols;
• route - fixed /routing/settings not able to set configuration without specifying policy-rule parameter (introduced in v7.22rc3);
• routing-filter - added possibility to match SLAAC and bgp-mpls-vpn route types;
• switch - improved system stability when changing bridge multicast-router property on CRS1xx/2xx (introduced in v7.19);
• system - added reset-configuration keep-apps=yes (additional fixes);
• wifi - improved support for 802.11be access points (additional fixes);
• winbox - fixed L3HW default value for VLAN interface (introduced in v7.21);
• winbox - rearrange filter wizard parameters in tabs;

What's new in 7.22rc3 (2026-Feb-26 10:37):

• ! certificate - added support for multiple ACME certificates (services that use a previously generated certificate need to be reconfigured after the certificate expires) (additional fixes);
• ! device-mode - added option to configure device-mode via Netinstall or FlashFig using a “mode script” (additional fixes);
• app - added health check for apps, which automatically rewrites the composed YAML;
• app - clean the backup directory after container repull;
• app - fixed element that was failing to start;
• app - fixed potential port collisions between apps;
• app - show DNS URL for app only if it has a reverse-proxy (additional fixes);
• bgp - make remote.address parameter optional;
• bridge - added local and static MAC synchronization for MLAG (additional fixes);
• bridge - added MLAG support per bridge interface (/interface/bridge/mlag menu is moved to /interface/bridge; configuration is automatically updated after upgrade; downgrading to an older version will result in MLAG configuration loss) (additional fixes);
• bridge - fixed performance regression in complex setups with vlan-filtering (introduced in v7.20);
• bth - use separate Let's Encrypt certificate for file-share;
• container - automatically stop/repull/start the container on repull or remote-image change;
• device-mode - removed authorized-public-key-hash property;
• dhcpv6-relay - fixed link-layer address inconsistency with the original link-layer address in relay-forward packets (additional fixes);
• fetch - fixed fetch treating relative paths from redirects as hostnames;
• health - added CPU temperature monitoring to L009 with ARM64;
• ip - added reverse-proxy (additional fixes);
• ipsec - improved aes256-ctr stability on L009;
• isis - improved stability and fixed a small memory leak;
• l3hw - fixed missing VLAN counters on reboot (introduced in v7.21);
• l3hw - improved system stability when enabling VLAN offloading under active traffic (introduced in v7.21);
• leds - fixed WiFi LEDs on hAP AX S (introduced in v7.22rc1);
• poe-out - firmware update for CRS354-48P-4S+2Q+ (the update will cause a brief power interruption to poe-out interfaces);
• poe-out - fixed controller-error for CRS354-48P-4S+2Q+;
• route - do not set blackhole flag for synthetic routes;
• route - fixed connected routes sometimes not working (introduced in v7.22rc1);
• route - removed preset rules and use routing/settings policy-rules (introduced in v7.22beta1);
• routerboard - allow changing /system/routerboard/settings via Netinstall or FlashFig using a "mode script" (additional fixes);
• system - improved upgrade service stability when the server is unreachable;
• user - properly apply login delay (introduced in v7.20);
• wifi - improved stability of interfaces in station mode during roaming;
• wifi - improved support for 802.11be access points (additional fixes);
• winbox - added missing route flags;
• winbox - added route ISIS tab;
• winbox - show MPLS tab only to relevant routes;

What's new in 7.22rc2 (2026-Feb-17 10:13):

• app - changed ui-url parameter for Smokeping and Nextcloud;
• app - fixed CHR reverse proxy entry using the wrong IP address (introduced in v7.22beta3);
• app - fixed issue with Cinny not being able to create a root-dir;
• bridge - added local and static MAC synchronization for MLAG (additional fixes);
• certificate - added support for multiple ACME certificates (additional fixes);
• container - fixed issue where the container may not start after upgrading if root-dir was not set;
• container - improved error message if container fails to start;
• defconf - fixed L009 configuration (introduced in v7.21);
• iot - added Bluetooth extended scanning and 1M/2M PHY support for the RB924i KNOT devices;
• iot - added Bluetooth extended scanning, advertising, and 1M/2M/CODED PHY support for EC25 KNOT devices;
• ipsec - removed modp8192 proposal on MIPS architectures;
• l2tp - improved system stability on TILE architecture;
• l3hw - improved system stability on device shutdown/reboot;
• lte - added subscriber number to monitor command for MBIM modems (additional fixes);
• lte - fixed crash on LTE passthrough interface deactivation;
• lte - fixed firmware upgrade for EC25-EU&KNe (introduced in v7.22rc1);
• wifi - improved support for 802.11be access points (additional fixes);
• winbox - added local table, mangle action and VRF setting under "Routing/Rule" menu;
• winbox - fixed empty "Realm Raw" value processing and value inheritance from configuration template (requires WinBox 4);

What's new in 7.22rc1 (2026-Feb-06 11:55):

• app - enable swap on all devices that use apps to help with performance;
• app - show app URL only when it is running (additional fixes);
• app - show DNS URL for app only if it has a reverse-proxy (additional fixes);
• bridge - added local and static MAC synchronization for MLAG (additional fixes);
• bridge - added RA guard feature (additional fixes);
• bridge - fixed dhcp-snooping incorrectly disabling HW offloading on QCA8337, Atheros8327 switch chips (introduced in v7.20);
• bridge - improved VRRP MAC address handling (additional fixes);
• certificate - added support for multiple ACME certificates (additional fixes);
• ethernet - increased Rx buffer size for devices with Alpine CPUs (reduces packet rx-drop in certain cases);
• gps - fixed port configuration for CubeG-5ac60ay;
• hotspot - allow WireGuard interface type (additional fixes);
• hotspot - check validity of base32 for otp-secret;
• hotspot - rename totp-secret to otp-secret;
• hotspot - set sensitive flag on /ip/hotspot/user otp-secret;
• ike1 - added ChaCha20-Poly1305 ESP encryption support;
• ike1,ike2 - improved netlink update handling;
• iot - added modbus delay using interframe-gap setting;
• ip - added reverse-proxy (additional fixes);
• ip-service - properly disable IP/Service on manual disable;
• ipv6 - fixed "on-link" and "autonomous" flag detection (introduced in v7.21);
• ppp - added initial support for BG770A-GL modem firmware update;
• route - fixed routes when scope was less than 10;
• sfp - fixed sfp-ignore-rx-loss parameter for RB960PGS;
• snmp - report maximum "ifSpeed" value if out of bounds;
• wifi - fixed an issue preventing WiFi interfaces from getting correct bridge vlan-id (introduced in v7.22beta1);
• wifi - improved support for 802.11be access points (additional fixes);
• wireguard - fixed private key generation when creating a WireGuard interface;
• x86 - added JME network driver (additional fixes);

Other changes since v7.21:

• app - added configurable app-store URL for custom apps;
• app - added jupyter-notebook, livebook and myip apps;
• app - added support for custom apps;
• app - allow configuring bridge port pvid for app;
• app - fixed /app/export;
• app - fixed apps constantly polling the cloud;
• app - fixed missing reverse-proxy URL;
• bgp - added BGP unnumbered support;
• bgp - changed multipath to number argument;
• bgp - fixed BGP output sometimes not being cleaned after session restart;
• bgp - fixed early-cut not working properly;
• bgp - fixed ignore-as-path-len not being used;
• bgp - fixed update messages not being sent on default-prepend value change;
• bgp - implement multipath (ability for BGP best path to select ECMP routes);
• bgp - implemented add-path;
• bridge - added MLAG support per bridge interface (/interface/bridge/mlag menu is moved to /interface/bridge; configuration is automatically updated after upgrade; downgrading to an older version will result in MLAG configuration loss);
• bridge - added MLAG-specific aged and aged-peer flags to host table;
• bridge - fixed MAC moving between regular ports and bonds for MLAG;
• bridge - fixed MLAG state being permanently disabled when changing bridge interface settings;
• bridge - improved logic for interface remove;
• bridge - improved MAC synchronization for MLAG;
• bridge - removed vlan-filtering check when changing the MVRP setting (allows disabling MVRP through WinBox);
• certificate - improved certificate export process;
• certificate - improved logging;
• chr - improved fast-path stability when using vmxnet3 driver;
• console - added :continue and :break commands for various loops;
• console - added :exit command to terminate scripts;
• console - added "comments" parameter to print command to control comment and error output;
• console - added comparison operators for ID values;
• console - added Ctrl+Left/Right word navigation;
• console - added Ctrl+w word deletion;
• console - added hint for dry-run import parameter;
• console - added left shift (<<) and right shift (>>) support for IPv6 addresses;
• console - added on-event script runner support to print follow/follow-only;
• console - added timestamp support to print follow/follow-only;
• console - allow undefined variables in dry-run import;
• console - changed autocomplete expansion criteria;
• console - disable follow command in /ip/firewall/connection menu;
• console - fixed brief print for entries with multiple comments;
• console - fixed setting of /interface/wireless/scan-list;
• console - fixed time drift for interface last-link-down-time and last-link-up-time;
• console - fixed value type names in comparison errors;
• console - implemented string casting in :tobool command;
• console - improved command decoding to drop extraneous commands (visible in history logging);
• console - improved error tracing when using find command;
• console - improved export command to avoid empty [find];
• console - improved history logging when performing object rename with set/reset;
• console - improved set/remove command handling in /file menu;
• console - look up variable in global scope if argument scope lookup failed;
• console - parse width parameter for non-interactive SSH commands;
• console - show smaller QR codes where possible;
• console - use the same flag output format for both print brief and detail;
• container - added support for zstd extraction;
• container - internal stability improvements;
• container - use the user-defined envs and envlist for container shell command;
• detnet - added request-interval setting;
• detnet - changed default port from MNDP to a random unused UDP port;
• device-mode - allow update from Netinstall via mode script (new "Mode script" property available for Netinstall and netinstall-cli, applied before defconf or user-defined script);
• dhcp-server - improved failure/error logging for both IPv4 and IPv6;
• dhcpv4-client - fixed inability to reference disabled DHCP client by interface name;
• dhcpv4-client - request DOMAINNAME (15) option from the server;
• dhcpv4-server - improved DHCP option handling;
• dhcpv4-server - improved logging;
• dhcpv4-server - send all found lease options in reply to DHCPINFORM;
• dhcpv6-client - allow unsetting "pool-prefix-length" parameter;
• dhcpv6-client - improved log messages;
• dhcpv6-relay - fixed link-layer address inconsistency with the original link-layer address in relay-forward packets;
• dhcpv6-server - swap input and output RADIUS accounting statistics counters;
• disk - added support for file-based swap space;
• disk - added trim command which functions similarly to fstrim;
• disk - fixed issue where iSCSI did not work with ESXi and XEN hypervisors;
• disk - fixed issue with disks not mounting after swapping devices;
• disk - fixed opening a drive in read-only mode if it became locked;
• disk - improved BTRFS stability on TILE devices;
• disk - renamed format file-system=trim and trim-secure to format file-system=discard and discard-secure;
• disk - show if driver is encrypted and locked;
• email - use default port if not specified;
• fetch - added HTTP/2 support on ARM64 and x86/CHR devices;
• fetch - increased default maximum redirect count to 2;
• fetch - return error code and HTTP headers to :onerror script;
• fetch - treat HTTP 304 return code as success;
• gps - fixed GPS port disappearance after reboot for EC25-EU&KNe;
• hotspot - do not invalidate static ARP entries;
• hotspot - fixed www response after login by cookie;
• iot - improved LoRa FSK modulation downlinking;
• ip - added error messages to reverse-proxy rules;
• ippool6 - allow creating sub-pool by specifying "from-pool";
• ipsec - added "none" option to IPsec key QKD certificate field;
• ipsec - added IKEv2 DDoS cookie activation setting;
• ipsec - added logging for IPsec policy template group;
• ipsec - added logging of IKEv2 connection SPI and initiator address;
• ipsec - adjusted minimum generated PSK key length;
• ipsec - fixed IKEv2 child policy reqid lost on rekey;
• ipsec - fixed IKEv2 child reqid handling on traffic selector update;
• ipv6 - added dhcp6-pd-preferred to /ipv6/nd/prefix to control P flag in Prefix Info Option RFC 9762;
• ipv6 - delete SLAAC default route if there are no active SLAAC prefixes present and no new RAs received;
• ipv6 - do not generate duplicate dynamic link-local addresses on tunnel type interfaces;
• ipv6 - enable IPv6 fast-path after removing firewall rules;
• ipv6 - improved system stability when manipulating IPv6 configuration that was added while IPv6 was disabled;
• log - added comment support to rule entries;
• log - added option to clear echo logs;
• log - added option to prepend topics to BSD syslog message;
• log - added script target for log actions;
• log - fixed incorrect log message shown after canceling supout.rif creation;
• log - fixed minor spelling issues;
• log - fixed missing ID in trace logs after removing logging rule;
• log - log "Secret must be set to run scripts from SMS" error only if ":cmd" prefix is used in SMS message;
• log - use uppercase MAC address in firewall logging;
• lte - added "auto" MTU option for LTE interfaces to use network-advertised MTU on supported devices;
• lte - added AT command timeout for EC25-EU&KNe;
• lte - added multi-apn and framed routing support for EC200A-EU modem (requires latest FW version);
• lte - added roaming barring field to LTE "show-capabilities" menu;
• lte - added subscriber number to monitor command for MBIM modems;
• lte - added USB tethering support using iOS devices;
• lte - clear about field status on firmware upgrade;
• lte - do not allow modem firmware-upgrade on "inactive" interface;
• lte - do not allow setting unsupported roaming barring settings for R11e-4G;
• lte - do not flap LTE passthrough assigned interface on modem link state change;
• lte - do not reconfigure LTE interface on configuration change error;
• lte - enable DHCP relay packet forwarding to the cellular network for EG120K-EA and RG650E-AU;
• lte - fixed "allow-roaming" setting to return error for modems that do not support roaming barring;
• lte - fixed cases where AT dialer could get stuck in "modem not ready" state;
• lte - fixed cases where incorrect network modes and bands could be suggested for active interface;
• lte - fixed chained firmware update for Chateau 5G;
• lte - fixed changing eSIM profile nickname;
• lte - fixed changing MAC address for EC200A-EU modem;
• lte - fixed displaying operator name for Chateau ax R17;
• lte - fixed eSIM errors appearing on devices without eSIM support;
• lte - fixed firmware update and status refresh for R11eL-EC200A-EU modem;
• lte - fixed inappropriate external antenna selection on Chateau ax R17;
• lte - fixed LTE interface IPv6 address generation to use EUI-64 for EC25-EU&KNe;
• lte - fixed missing notifications to eSIM provider when eSIM provisioning canceled;
• lte - fixed tethering support for Google Pixel Pro 8;
• lte - fixed wrong MTU reading/setting for config-less modems;
• lte - hide external antenna selection menu for the Chateau AX R17;
• lte - improved APN IP type handling by enabling only the IP protocols defined in the assigned APN profile for config-less modems;
• lte - make inactive LTE interface settable, LTE interface settings can be set without waiting for modem initial initialization;
• lte - removed delay before querying modem status for config-less modems with info channel;
• lte - show ICCID and IMSI also when the interface is disabled;
• lte - strip modem reported padding characters for SIM card (ICCID) on Chateau ax R17;
• mac-telnet - added interface property;
• macsec - fixed hardware offload on S53 and C53 devices;
• mesh - fixed missing S flag on interfaces after mesh disable/enable;
• ping - added IPv6 support for flood-ping;
• poe-out - added LLDP support for dual-signature PDs;
• poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
• poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);
• port - fixed baud rate change for TILE architecture devices;
• ppp - fixed Framed-Route attribute not being applied to correct VRF;
• profiler - split "management" process into different smaller process groups;
• radius - fixed initialization of incoming UDP socket in some situations;
• radius - fixed RadSec SSL CPU usage increase on closed connections;
• radius - improved incoming RadSec packet processing on busy service;
• radius - improved logging;
• rip,pimsm - separate the interface property from the address in /routing/rip/interface and /routing/pimsm/interface menus;
• rose-storage - added XFS support;
• route - added logs for check-gateway state changes;
• route - expose built-in routing rules and allow changing their order under the /routing/rule menu;
• route - fixed route removal after unexpected safe mode termination;
• routerboard - allow changing /system/routerboard/settings from Netinstall via mode script;
• routerboot - allow installing ARM64 on L009 device ("/system routerboard upgrade" required; configure "/system/routerboard/settings set preferred-architecture=arm64 boot-device=try-ethernet-once-then-nand"; start Netinstall with ARM64 image and reboot the device (DO NOT load the backup routerboot with reset button); downgrading to older versions must be avoided);
• routerboot - fixed linking to 1000M-half for KNOT Embedded LTE4 ("/system routerboard upgrade" required);
• routerboot - fixed possible Netinstall failure for KNOT Embedded LTE4 ("/system routerboard upgrade" required);
• sfp - improved initialization and linking for some QSFP modules;
• smips - reduced package size and removed ip-scan, mac-scan, ping-speed, flood-ping features;
• snmp - added 5G NSA connection signal indications: nr-rsrp, nr-rsrq, nr-sinr;
• snmp - fixed CA band indication;
• snmp - fixed issue where bulk walk might skip the first OID;
• snmp - fixed minor memory leak when changing SNMP authentication/encryption passwords;
• snmp - fixed reply for empty snmpbulkwalk requests;
• snmp - report RouterOS version in SNMPv2-MIB::sysDescr;
• ssh - improved logging;
• supout - wait up to 5 minutes for export to complete and show incomplete output in case of timeout;
• switch - fixed missing switch-cpu port counters;
• switch - updated switch-marvell.npk driver;
• system - added reset-configuration keep-apps=yes;
• system - display serial ports in the /system/resource/hardware menu;
• undo - show user when configuring DHCP server or hotspot with setup command;
• upgrade - added "password" parameter to "local-upgrade" feature when configuring through CLI;
• upgrade - added IPv6 support for local package source and mirror;
• upgrade - fixed local package mirror check interval;
• upgrade - removed redundant commands from local package menu;
• usb - updated device ids for ax88179_178a driver;
• user-manager - added support for NAS-Identifier attribute;
• user-manager - always respond to accounting requests;
• user-manager - do not send Disconnect-Message for unknown usernames for Accounting-Request;
• user-manager - do not send invalid NAS-Port-Type on CoA/PoD messages;
• user-manager - fixed unauthenticated access to /PRIVATE/ userman web files;
• user-manager - show empty value for session NAS-IP-Address if empty;
• webfig - added missing icons for Firewall table;
• webfig - added new section "Common names" in skin designer;
• webfig - added support for collapsible tree view for menus like Interfaces, Files, Queues;
• webfig - added support for URL fields;
• webfig - fixed ability to set interworking.realms-raw WiFi interface attribute;
• webfig - fixed skin designer mobile view for QuickSet and Terminal;
• webfig - fixed Torch Filters default values;
• webfig - improved address type field input value validation;
• wifi - added keepalive message in CAPsMAN data channel;
• wifi - added optional show-frame=radiotap parameter value to make sniffer display the radiotap header of captured frames;
• wifi - allow specifying hostname to caps-man-addresses;
• wifi - fixed channel switching for MediaTek access points;
• wifi - fixed FT support with wpa2-psk-sha2;
• wifi - fixed functionality of the wireless-signal-strength LED trigger;
• wifi - fixed possible certificate failure after CAPsMAN disable/enable;
• wifi - improved spectral-history width for console;
• wifi - improved stability and fixed multiple issues;
• wifi - improved system stability when using spectral-scan;
• wifi - introduced /interface/wifi/network menu for higher level network configuration (CLI only);
• wifi - quicker re-connections to APs for interfaces in station mode;
• wifi - updated regulatory information for Malaysia;
• wifi-mediatek - fixed rx chains functionality;
• wifi-mediatek - updated driver and firmware;
• winbox - added "Force Check" for local upgrade;
• winbox - added comment in "System/Ports/Remote Access" menu;
• winbox - added confirmation message to Format Drive;
• winbox - added Container Repull command;
• winbox - added error reporting to CAPsMAN Manager menu;
• winbox - added GUI support for IPsec QDK;
• winbox - added missing LoRa channel fields;
• winbox - added socsify icon for firewall NAT rules;
• winbox - added SwOS Allow From field;
• winbox - added warning when changing global script variables;
• winbox - allow using specified skin without the sensitive policy;
• winbox - fixed applying a skin to a user authenticated with RADIUS;
• winbox - fixed applying a skin to WinBox if it was uploaded via the branding package;
• winbox - fixed default flag in certain menus;
• winbox - fixed modem firmware-upgrade for the RG650E-EU modem;
• winbox - fixed the "New QoS Profile" field for switch rules;
• winbox - make File Share URL field clickable;
• winbox - move "Default" panel from "IPv6/ND/Proxy" to "IPv6/ND/Prefixes";
• winbox - recognize imported certificate key size;
• winbox - rename "Change Now" to "Change" button in "System/Password" menu;
• winbox - replace "DHCP" with "DHCPv6" in IPv6 menus;
• winbox - set "Mount Filesystem" by default under "System/Disk" menu;
• winbox - show separator after "Protocol" field for IPv6 Firewall rules;
• winbox - show warnings in "MPLS/Traffic Eng/Tunnel" menu;
• winbox - updated some setting and title names;
• winbox - updated various WiFi properties;
• wireguard - improved stability;
• wireguard - merged upstream fixes and improvements;
• wireless - avoid joining BSS that previously failed until all other options tried;
• wireless - improved system stability when changing nstreme mode;
• wireless - improved system stability when eap-method=passthrough configured for station;
• x86 - fixed interface hang on RTL8125 when processing IP-fragmented UDP traffic;
• x86 - improved link establishing on Intel X710 series NIC;

To upgrade, click Check For Updates under System/Packages menu and select the testing Channel in RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

So, this version will also remain with stupid automatic replacement of tabs without user permission?

This feature should be disabled in this release because it's not ready. The UI part in WinBox is not ready, but most importantly, the export (and restore from export) part is broken.

For example, on a 7.22rc1 installation without existing routing rules, if you add custom routing rules, the subsequent /routing rule export command produces nothing! Same with the top-level /export, no routing rule section will be seen in the export. You can also move the rules around, and /routing rule export will still be empty.

Only /routing rule export verbose shows the added rules.

Also the fact that add command add routing rules at the bottom of the table, while to retain the previous <= 7.20 behavior, they should be inserted between rule *FFFFFFFC and *FFFFFFFD, means that import from older .rsc files will be broken.

Does this have something with this error appearing in the log at boot:

And the appearance of these broken certificates:

My www-ssl service use an ACME certificate (with Let's Encrypt) with a custom domain, and that certificate is still there and valid, and assigned to www-ssl. However, I don't recall having ever added or touched the two in the screenshot above.

EDIT: Another reboot and now there are 3 of them

Ok, I can now confirm that one is added for each reboot:

image304×124 1.81 KB

I see the new method for IPv6 PD.

I got a /56 from ISP, and in dhcp-client, set prefix-length=60 , to set up a local /60 pool, for me, it is v6pool .

and then create a sub-pool from this v6pool , prefix-length=64 , any interface require a prefix , will from this sub-pool and get a /64 , up to 16 interfaces and vlans.

And in /ipv6/dhcp-server , address pool use the v6pool , to get another 16 prefixes , give sub level routers.

/ipv6 dhcp-client
add add-default-route=yes  interface=pppoe-out1 pool-name=v6pool pool-prefix-length=60 request=prefix use-peer-dns=no

/ipv6 pool
add from-pool=v6pool name=v6pool_local prefix-length=64

/ipv6 address
add address=:: comment="RB4011 self" eui-64=yes from-pool=v6pool_local interface=bridge1
add address=:: advertise=no comment=Guest eui-64=yes from-pool=v6pool_local interface=vlan-guest
add address=:: advertise=no comment=IoT eui-64=yes from-pool=v6pool_local interface=vlan-iot
add address=:: comment=Dockers eui-64=yes from-pool=v6pool_local interface=dockers
add address=::1 advertise=no comment=WG1 from-pool=v6pool_local interface=wg1
add address=::1 advertise=no comment=WG4 from-pool=v6pool_local interface=wg4

/ipv6 dhcp-server
add comment="For J1900" interface=bridge1 lease-time=2d name=d6 prefix-pool=v6pool rapid-commit=no
add comment="for VLAN IOT" interface=vlan-iot lease-time=1h name=d6-iot prefix-pool=v6pool rapid-commit=no

7.21 not really stable and 7.22rc is here?

My technitium broke when I upgraded was using DoT, anyway cleaned up and re-pulled all good.
Also what is this RED Certificate ?

lol637×479 77.4 KB

IPv6 default route issues reported in 7.21 have been fixed! Thank you Mikrotik team!

EDIT: Disregard - after rebooting router I am not seeing a default gateway for IPv6 and so my dual-stack setup fails on the ipv6 side when conducting tests.

A minor WinBox thing: in the App → detailed info about container the [containerInterface] does not show full veth interface name, truncates after a dash - for a long container name with dash. Command line displays name correctly and all works fine.

image1507×1361 267 KB

Do you remember which one is the original acme cert? I’m assuming it’s the one is 1770395191.

Can you look and see if it’s marked as trusted?

Also, can you check the acme directory url? What do you have?

I think it should be

https://acme-v02.api.letsencrypt.org/directory

You may need to downgrade to the previous version and then set www-ssl-acme-cert as trusted.

The [containerInterface] reflects the Linux device name in container. For some reason (perhaps there is max length of interface name, IDK...), it actually does truncate the name inside the container. So if you do some ifconfig or ip link, you'll actually see the truncated name there. But since it's truncated (again IDK why), but the [containerInterface] variable should match the name inside the container, and the "outside" (RouterOS) VETH name in /app ... interface= does show the "full name".

Now why it truncates it when creating a container IDK why... And if for some reason it does need to be truncated... it the last part that should be saved, perhaps strip veth- e.g. veth-app-mycont vs app-mycontainer

Are you referring to this? Would be good news

route still must be installed even if only managed-configuration option is only one included if RA lifetime is > 0.

That is indeed it! They turned the fix around for that bug insanely fast.

Indeed @Amm0 - thanks for pointing to this. If I start two containers, one custom with a dash in it’s name - the interface name is truncated:

[mikrotik@mikrotik] /container> shell 0
mikrotik:/# ifconfig
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:65536  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

veth-app-goaway Link encap:Ethernet  HWaddr 5A:F9:ED:84:7A:CB
inet addr:10.111.50.249  Bcast:0.0.0.0  Mask:255.255.252.0
inet6 addr: fe80::58f9:edff:fe84:7acb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:7047 errors:0 dropped:0 overruns:0 frame:0
TX packets:1825 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1249185 (1.1 MiB)  TX bytes:159341 (155.6 KiB)

mikrotik:/#
exit
done
[mikrotik@mikrotik] /container> shell 1
/ # ifconfig
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:65536  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

veth-app-caddy- Link encap:Ethernet  HWaddr 6A:76:71:79:C5:4A
inet addr:10.111.50.248  Bcast:0.0.0.0  Mask:255.255.252.0
inet6 addr: fe80::6876:71ff:fe79:c54a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4915 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:475895 (464.7 KiB)  TX bytes:24787 (24.2 KiB)

I started another pre-build container with a dash in its name - uptime-kuma, for this container [containerInterface] is shown as “veth-app-uptime” - at least there is no trailing dash at the end.

So looks like a but or at least minor inconsistency.

Let’s try again: 16MB ac devices like hap-ac2 are again at the “no space” state… after clearing console history storage is 15.9 of 16 MB full.

Mikrotik: PLEASE split qcom-ac package in two, there is really no need to have unnecessay drivers taking space and rendering device unusable in the process!

Thanks for listening to your customers… or not?

Btw let’s not go down the “why do you update to the latest version anyway?” path… because it exists and I have plenty of 16MB devices that I use for testing before upgrading the production…

I looked it up. Linux kernel limits name to 15 chars, so the ending - is more that your at the 15 char limit, so RouterOS truncates it.

While some truncations may be needed... agree it should be "smarter" as the prefex is always veth-app-, you're left with 7 chars right now.

None of them are the original certificate. As I wrote above, the original working certificate is still there and assigned correctly to the services (www-ssl, api-ssl and SSTP), and is still valid until April.

image495×602 22.1 KB

I've never added or changed anything with www-ssl-acme-cert in name. This is my test RB750Gr3 and before the upgrade from beta6 to rc1 there were only the two certificates first listed in the screenshot. That Lets encrypt1749359166 certificate has been there and in use since quite a while, and went through multiple renewals. As you can see from the Unix timestamp in the name, it has been named like that since June 8, 2025.

As for those 4 bogus certificates, they seem completely broken with no valid information:

image641×761 18.7 KB

From the log, at boot the router mentioned that the 3 bogus certificates needed to be renewed, and then created the 4th one afterwards.

image973×608 51.2 KB

However, automatic renewal for ACME certificate on this router will never work, because www is explicitly turned off, and port 80 is not open in the firewall, and the Lets encrypt1749359166 cert uses my sub domain, not the IP Cloud one.

Another thing that might cause the above, is that this router will never have internet connectivity in the first 30+ seconds after boot. It's connected to a port with 802.1X active, but is not configured as 802.1X client. The router normally has to wait for 30s for the upstream port to switch to guest mode (after receiving no authentication attempts) and put it in the guest VLAN, where the upstream PPPoE server is available. Only then it can have internet connectivity.

I am guessing that the change in rc1 might be that the router now tries to create the ACME certificate for the IP Cloud domain in any case, even when the services are already configured with the custom domain ACME certificate. However, at boot it has no internet connectivity and cannot contact MikroTik's server to confirm the IP Cloud domain and using the help of remote server to request the certificate with DNS-01. That could explain why the bogus certificates have no CN or SAN information.

This is what I did.

Remove the bogus certificates and create a new acme certificate with the name www-ssl-acme-cert-1749359166

It’s important to use the same Lets encrypt 1749359166.

Use the acme directory url

https://acme-v02.api.letsencrypt.org/directory

Once it's created it won’t let you mark it as trusted.

I had upgrade to 7.22beta6. After the upgrade go to the acme certificate www.-ssl-acme-cert-1749359166 and mark it as trusted.

This is how I got around this error.

I haven’t tried going to 7.22rc1

I got busy doing other things. But you might wanna tried what I did.

Note: I also thought it was an open port issue. So, I opened up port 80 and port 443 but that didn’t make any difference. I also took a look at the MT docs and seen that the acme directory url was pointing to a Zero trust SSL directoy url? Did MT have a fallout with Let’s Encrypt and gone to Zero trust.

ZeroSSL acme api directory url from MT doc

/certificate/enable-ssl-certificate directory-url=https://acme.zerossl.com/v2/DV90

IDK

Screenshot_20260206_2223081920×1200 503 KB

Thanks! I think that URL in the doc only serves as example for the case when we want to use services other than Let's Encrypt (which means if we don't specify the directory-url parameter, then it should default to LE).

I my case, I don't want or need the certificate with the mynetname.net IP Cloud subdomain. I've never requested that certificate on this router either, always only with dns-name=my-domain. And I also don't need the router to automatically renew the certificate, because I want to control that process by enabling the service and opening the port only when needed.

So, in my opinion RouterOS should keep the previous behavior and should not initiate unsolicited certificate requests / creations.

I hope that will get fixed in the next release. Did you make a support ticket on this?

I did make that change in the acme certificate settings to use Let’s Encrypt url api. So, it looks like it doesn’t default to it.

I also ran enable-ssl-certificate on firmware version 7.22rc1 but now it’s broken.

Said to use acme add function. Which doesn’t seem to work correctly either.

I hope MT adds a enable/disable function.