V7.23beta [development] is released!

Announcements
1

Before an upgrade:

  1. Remember to make backup/export files before an upgrade and save them on another storage device;
  2. Make sure the device will not lose power during upgrade process;
  3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.23beta5 (2026-Arp-01 19:30):

  • app - added lorawan-stack, mikrodash, trip apps;
  • app - added restart command;
  • app - updated uptime-kuma image;
  • bridge - fixed missing dynamic "switch-cpu" VLAN entry in WiFi setup;
  • certificate - added "ISRG Root X1" and "DigiCert Global Root G2" to SMIPS built-in root certificate authorities store;
  • console - added comment in "/ip/dhcp-server/option/sets" and "/ipv6/dhcp-server/option/sets" menus;
  • console - added path parameter to export;
  • console - export mentions custom defconf script presence in header (additional fixes);
  • console - fixed output when oversized completion present;
  • console - rename "cpu-used-per-cpu" to "cpe-used-per-core" in "/system/resource/monitor";
  • console - show warning in print header when terminal is too narrow to show any columns;
  • console - treat non-existent command parameters as runtime errors;
  • container - allow setting memory-max global and per container (additional fixes);
  • dhcpv4-server - added "add-dns" and "add-dns-suffix" properties for creating local DNS entries;
  • discovery - added "add-dns-entries" and "dns-entry-suffix" properties for creating local DNS entries;
  • disk - improved device name tracking in "/system/resource/hardware" menu;
  • disk - use USB UASP interface for supported devices (additional fixes);
  • ethernet - improved system stability for RB3011, L009, NetMetal ax, hAP ax lite devices;
  • ethernet - improved system stability on devices with Alpine CPUs;
  • firewall - improved system stability;
  • health - hide health menu for RB951ui-2nD;
  • iot - improved LoRa Tx scheduling;
  • ip - fixed hanging connections for reverse-proxy;
  • ipv6,ra - improved service stability;
  • ipv6,ra - use received prefix when RA on-link flag is 0 (introduced in v7.22);
  • log - fixed crash when a rule references a non-existent action (introduced in v7.23beta2);
  • lte - improved system stability when modem configured in passthrough mode with VLANs for "Chateau 5G R16" and "Chateau 5G";
  • lte - keep MAC persistent across reboots for QMI modems;
  • ospf - fixed missing interface-template configuration which previously was converted by upgrading from RouterOS v6 (additional fixes);
  • ovpn - fixed OVPN push routes;
  • ping - resolve domain name to IPv6 if src-address is IPv6 address;
  • port - expose RG650E-EU diagnostics channel;
  • port - remove unused serial port on RB1100AHx4;
  • ptp - allow manual domain configuration for 802.1AS profile;
  • ptp - fixed crash during initialization on some devices;
  • ptp - set DSCP (EF) for default profile when using IPv4;
  • switch - use names instead of numbers in switch menu configuration export;
  • system - improved stability for internal RouterOS service communication;
  • upgrade - added the option to configure HTTP/HTTPS modes when connecting to MikroTik upgrade servers (additional fixes);
  • webfig - added postfix byte value support (e.g. "/ip/settings/ipv4-high-fragment-thresh");
  • wifi - improved authentication stability for WiFi 7 access points;
  • wifi-qcom-be,mediatek - correctly advertise RRM capabilities when 802.11k neighbor reports are enabled;
  • winbox - added “Remove” action under "System/Certificates/Requests" menu;
  • winbox - do not accept interface without specifying IP or MAC in "Ping To" field;
  • winbox - show "Directory URL" field for ACME certificates in Certificate view;
  • winbox - show accepted connections in tree view under "IP/Services" menu;

What's new in 7.23beta4 (2026-Mar-25 16:31):

  • app - added birdnet-go, cryptpad, diagrams-net, metube, nextcloud-whiteboard, paperless-ngx, wbo, zulip apps;
  • app - allow filtering by installed apps;
  • app - allow picking app category from drop-down;
  • app - automatically restart app when required hardware device is changed;
  • app - bundled ollama with openwebui;
  • app - fixed issue where XFS disks did not appear in the app disk drop-down;
  • app - make sure all layer .tar.gz files are deleted after extraction finishes;
  • bfd - fixed source address selection for IPv6 multihop sessions;
  • bgp - fixed stability issue when nonexistent output select-chain was specified;
  • bgp-vpn - fixed non-working import filter after reboot;
  • bridge - improved MAC synchronization for MLAG (additional fixes);
  • bth - fixed WireGuard client config IP address netmask;
  • chr - improved guest tool config for arm64 CHR;
  • console - removed the "reset" command from shared settings menus (IP/IPv6/Bridge/L3HW/Neighbor-Discovery/Connection-Tracking);
  • container - added support for noexec option to mounts;
  • container - added support for USB audio devices for containers;
  • container - do not allow starting container/shell with non-existing user or group;
  • container - draw graphs in container stats;
  • container - remove container backup directory if import fails;
  • container - show container size and container data size;
  • container - show default DNS servers;
  • dhcpv4-server - changed lease agent-circuit-id and agent-remote-id format to HEX;
  • discovery - added option to disable/enable LLDP MED;
  • discovery - added separate read-only menu "/ip/neighbor/lldp" for neighbors discovered by LLDP the (CLI only);
  • discovery - dynamically update advertised "interface-name";
  • discovery - fixed LLDP MAC/PHY TLV;
  • disk - added disk check and repair for ext4, btrfs and xfs file systems;
  • disk - use USB UASP interface for supported devices;
  • file - added copy, tail, head commands (CLI only) (additional fixes);
  • graphing - improved service stability when storing data;
  • interface - show warning when same MAC address is used on more than one virtual interface;
  • iot - improved LoRa stability;
  • ip - added SNI logging for reverse-proxy;
  • ip-settings - added ipv4-fragment-time and ipv4-high-fragment-thresh settings, use default values based on total device memory (additional fixes);
  • ippool6 - properly follow pool changes for already used prefixes;
  • log - added ssld error logging (additional fixes);
  • log - do not provide non-existent logging topics for configuration;
  • log - fixed "/system/logging/action/get" command (introduced in v7.22);
  • lte - added fast SIM switchover support using AT channel for MBIM modems without MBIM_CID_MS_UICC_RESET firmware support;
  • lte - configure IP address for AT modems even if no DNS is received from the network;
  • lte - do not reconfigure modem in passthrough mode if passthrough cannot be activated because of slave interface;
  • lte - fixed automatic modeswitch for "Chateau 5G R16" and "Chateau 5G";
  • lte - fixed broken network scan after being interrupted by reconfiguration;
  • lte - fixed LTE modem automatic modeswitch (introduced in v7.22);
  • lte - fixed missing automatic redial when cellular connectivity is lost for R11e-LTE;
  • lte - improved system stability;
  • lte - stop network scan on interruption for QMI modems;
  • lte - unify "modem-init" for all driver types;
  • ospf - allow adding interface configuration manually, bypassing interface-template;
  • ospf - change virtual link configuration to use OSPF interface directly;
  • ospf - fixed missing interface-template configuration which previously was converted by upgrading from RouterOS v6;
  • qos-hw - added ECN and PFC support on CRS8xx (additional fixes);
  • qos-hw - display queue0 limits for CPU port;
  • qos-hw - fixed "offline" tx-manager ability to queue at least one packet (introduced in v7.21);
  • qos-hw - fixed CPU traffic mapping to queues on CRS8xx switches;
  • qos-hw - prohibit setting CPU port with "offline" tx-manager;
  • route - fixed link-local interface check when resolving IPv6 nexthops;
  • route - improved service stability when removing routes;
  • routerboard - fixed applying settings via WinBox on devices with fixed CPU frequency;
  • routerboot - fixed Netinstall failure when using multiple partitions on AL73400, AL52400, AL32400 CPUs ("/system routerboard upgrade" required);
  • sftp - fixed path canonicalization request;
  • snmp - added missing BRIDGE-MIB OIDs (dot1dBaseNumPorts, dot1dBaseType, dot1dStpDesignatedRoot, dot1dStpRootCost, dot1dStpRootPort, dot1dStpHoldTime, dot1dStpBridgeMaxAge, dot1dStpBridgeHelloTime, dot1dStpBridgeForwardDelay, dot1dStpPortForwardTransitions, dot1dTpAgingTime);
  • snmp - added missing LLDP-MIB OIDs (lldpMessageTxInterval, lldpMessageTxHoldMultiplier, lldpLocManAddrTable);
  • snmp - fixed compliance of LLDP-MIB lldpRemManAddrTable;
  • snmp - fixed dot1dStpPortDesignatedPort OID;
  • snmp - fixed ifSpeed and ifHighSpeed OIDs for 802.3ad and balance-xor bonding interfaces;
  • snmp - fixed lldpLocSysDesc OID;
  • snmp - fixed return value for certain string OIDs (introduced in v7.23beta2);
  • snmp - use "/ip/neighbor/lldp" for lldpRemTable and lldpRemManAddrTable (fixes lldpRemTable showing neighbors discovered by MNCP or CDP);
  • ssh - improved host resolve error logging;
  • switch - improved FDB operations on QCA8337, Atheros8327;
  • switch - rework how IEEE reserved MAC addresses are handled on QCA8337, Atheros8327;
  • system - added FCC Part 15 Compliance label to "System/Regulatory" menu;
  • system - included full certificate chain to Windows executables;
  • system - keep HTTP/2 connection open if it is not closed by system or server;
  • system - make default identity based on board name;
  • veth - fixed link-local address not being configurable as a gateway;
  • wifi-mediatek - fixed HE capabilities IE on 2GHz band;
  • winbox - added "MLD Static" and "MLD Datapath" properties under the "WiFi/CAP" menu;
  • winbox - added "Multipath" property under the "Routing/BGP/Instance" menu;
  • winbox - added "Supported HW Caps" and "Multi Link Mode" configuration options under the "WiFi/Provisioning" menu;
  • winbox - allow setting "CAPsMAN address" for CAP as domain name;
  • winbox - do not set empty chain when adding/editing routing rule;
  • winbox - improved "External Antenna" property display;
  • winbox - properly display multiple bands for multi-link interface clients under registration table;
  • winbox - show "IPv6 Address" property by default under the "IP/Neighbors" menu;
  • wireguard - improved system stability;

What's new in 7.23beta2 (2026-Mar-13 11:52):

  • app - added docker-with-dockge, docker-with-komodo, docker-with-portainer, HA-otbr-matter, odoo, otbr, stalwart apps;
  • app - added possibility to set app command-line parameter from CLI;
  • app - allow apps on xfs file system;
  • app - allow overriding default stop signal;
  • app - allow parsing DNS in YAML;
  • app - allow passing stop signal from YAML and passing it to container as default;
  • app - allow updating name parameter from YAML for custom apps;
  • app - allow updating YAML for existing custom app, forces cleanup;
  • app - apps now check for port availability, apps will not start on "internal" if app masks existing service;
  • app - automatically pass any required devices to container, such as otbr;
  • app - disabled PiHole syncing NTP to host;
  • app - fixed potential crash when running cleanup on a lot of apps;
  • app - fixed saving custom apps;
  • app - fixed showing ui-url for apps;
  • app - fixed uptime-kuma and jupyter-notebook;
  • app - fixed YAML not exported for custom apps;
  • app - improved app networks and port behavior;
  • app - improved automatic hardware device passing to container;
  • app - improved YAML error message;
  • app - on file based devices, swap is enabled on the file itself instead of creating another one and enabling it on that;
  • app - stability fixes for the "/app" menu;
  • app - swap file is now created based on the mount-point it is attached to;
  • arm64,x86 - updated Broadcom bnxt Ethernet driver for 200G support;
  • bridge - added ability to set custom Option 82 with dhcp-agent-circuit-id, dhcp-agent-remote-id settings (replaces add-dhcp-option82 setting; configuration is automatically updated after upgrade);
  • bridge - added DHCPv6 snooping feature with ability to set custom Option 18 and Option 37;
  • bridge - improved MAC synchronization for MLAG;
  • bridge - recognize more DHCP message types when dhcp-snooping is enabled;
  • certificate - added option to configure built-in trust store for all services (CLI only);
  • certificate - use "default" for built-in trust store default value;
  • chr - improved virtio_net stability;
  • cloud - show error if cloud services are not supported on the device;
  • console - added syntax highlight for script properties in some menus (e.g. dhcp-client, dhcp-server, ppp/profile, interface/vrrp);
  • console - export mentions custom defconf script presence in header;
  • console - fixed "/log/print follow on-event" to work with "where" (introduced in v7.22);
  • console - removed redundant keepalive for the serial-terminal, ensure that the device no longer periodically outputs /0 while using "/system/serial-terminal";
  • console - show "/system/resource/hardware/usb-power-reset" only on x86;
  • container - added restart-policy=no/always/on-failure, stop-on-unhealthy, restart-count, restart-interval, restart-max-count properties;
  • container - allow disabling individual container environment variables without deleting them;
  • container - allow picking mount source directories with the file picker in WinBox;
  • container - allow setting memory-max global and per container;
  • container - allow user-defined mounts overriding /sys and /dev;
  • container - clean up layers of non-existing containers;
  • container - detect and show containers killed by out-of-memory killer;
  • container - fixed container entrypoint and shell override by user;
  • container - fixed container layer size calculation;
  • container - fixed container shell not working with multi-arg commands;
  • container - fixed losing container after reboot;
  • container - fixed repull if root-dir of container was in tmpfs;
  • container - fixed running "/container shell" with the correct user, if container user is set or overridden;
  • container - improved errors at container start;
  • container - improved running container instance memory usage;
  • container - layers are now accessible under "Layers" tab;
  • container - pass any container startup error message back to "run" and make it exit immediately;
  • container - removed "Layers" button;
  • container - show layer size calculation status;
  • crypto - fixed fallback flag loss in qcrypto;
  • crypto - improved safexcel driver with upstream changes and patches;
  • dhcpv4-server - do not raise an alert when receiving a packet originating from the same device;
  • dhcpv4-server - do not suggest bogus pools when using setup command (e.g. when address is /31 or /32);
  • dhcpv4-server - fixed an issue where renew packets without giaddr were sometimes not processed;
  • disk - added "/disk" smart-info;
  • disk - show disk io errors in "/disk" menu;
  • dns - added HTTP/2 support to DoH on ARM64 and x86/CHR devices;
  • fetch - fixed non-working idle-timeout in some cases;
  • file - added copy, tail, head commands (CLI only);
  • firewall - improved stability for SIP helper;
  • hardware - name serial devices after port names;
  • hardware - name storage hardware devices after slot name in "/disk" menu;
  • hardware - report the correct state of PCI devices in "/system/resource/hardware" menu;
  • iot - added LoRa Tx delay setting;
  • iot - added MQTT subscribe message real-time monitoring option;
  • iot - added Wiliot support;
  • iot - fixed LoRa LBT issues, which caused Tx packets not getting delivered;
  • iot - improved LoRa Tx handling;
  • ip-settings - added ipv4-fragment-time and ipv4-high-fragment-thresh settings, use default values based on total device memory;
  • ipip - disabled IPv6 link-local address generation;
  • ippool - fixed issue when changing pool with already used addresses;
  • ippool6 - allow variable length pool;
  • ipsec - added netlink-based SA and policy handling;
  • ipsec - fixed SA proto parameter conversion and policy "none" type handling;
  • ipv6 - added from-pool-policy address property that controls how address is acquired from the pool;
  • ipv6 - always ensure that prefix length matches the one given by the pool even if address was set to 0;
  • ipv6,ra - added option to ignore MTU and DNS servers;
  • ipv6,ra - added router-advertisement-route-distance setting;
  • ipv6,ra - allow receiving DNS servers over multiple interfaces;
  • ipv6,ra - clamp valid-lifetime to minimum of 2h on deprecation;
  • ipv6,ra - extend processed RA logging;
  • ipv6,ra - fixed advertised DNS parameter logging;
  • ipv6,ra - fixed changing default "all" interface configuration;
  • ipv6,ra - fixed DNS and pref64 property unset;
  • ipv6,ra - fixed sending only DNS or MTU when prefix is set to "none";
  • ipv6,ra - warn when interface is under the bridge;
  • l3hw - added HW offloaded VRF support on CRS8xx switches;
  • l3hw - added VRF assignment via switch ACL rules on CRS8xx switches (CLI only);
  • l3hw - fixed VXLAN packet matching by local IP;
  • l3hw - improved system stability (introduced in v7.21);
  • leds - added new PoE fault LED cases (bad fw, PoE card power cable disconnected, PoE card not inserted);
  • leds - allow multiple interface selection for interface-activity trigger;
  • log - added CC option for e-mail action;
  • log - added ssld error logging;
  • log - added TLS support;
  • lte - do not duplicate primary-band also in ca-band for QMI modems in 5G SA network;
  • lte - emit RS every 60s on LTE interface;
  • lte - filter packets by MAC in multi-apn setup for EC200A-EU modem;
  • lte - fixed RSSI signal monitor 3rd party modems where AT+CSQ responses are not parsed;
  • lte - fixed Tx stat reporting in LTE passthrough mode (introduced in v7.22);
  • lte - fixed user set MTU not applied to LTE interface;
  • lte - improved system stability for devices with QMI modems;
  • lte - improvements for passthrough mode in IPv6 only setup;
  • lte - read subscriber number also for QMI modems;
  • lte - removed LTE external-antenna scan;
  • lte - set SMS send timeout to 180s;
  • lte - show external-antenna as "none" before actual scan is done instead of empty value;
  • lte - show MTU as "auto" also on interface level if "auto" used;
  • lte - SIMCom modems, skip error state when modem sends improperly formatted CREG response/URC;
  • macsec - added aes-gcm-xpn-128 cipher support;
  • ospf - fixed nssa bit check;
  • ospf - fixed routes not being installed on ABRs;
  • pimsm - do not ignore priority when selecting RP from BSR;
  • pimsm - fixed possible BSR loop;
  • pimsm - improved stability;
  • ping - show time in microseconds for flood-ping;
  • poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
  • port - added support for "tcp-client" and "udp" modes for "remote-access";
  • pppoe - do not reset pppoe-client interface when adding a comment;
  • ptp - added support for CRS812, CRS804;
  • qos-hw - added automap setting to QoS Profiles (enabled by default);
  • qos-hw - added ECN and PFC support on CRS8xx;
  • qos-hw - added new default "auto" value to mirror-buffers, multicast-buffers, shared-buffers QoS Settings (old defaults are shown in export after upgrade);
  • qos-hw - added queueX-byte-max stats to port usage on CRS8xx;
  • qos-hw - introduced lossless-traffic-class and lossless-buffers settings;
  • qos-hw - removed shared-pool-index setting;
  • quickset - fixed configuration of multi-link APs;
  • smb - do not start /ip smb server on container interfaces;
  • sniffer - added IP ECN field;
  • sniffer - fixed missing VLAN tag in the TZSP packets;
  • snmp - enforce minimum password length;
  • snmp - fixed connection tracking counter OID;
  • snmp - fixed dot1dStpPortDesignatedRoot and added dot1dStpPortDesignatedBridge OID;
  • snmp - implemented LTE firmware upgrade option;
  • ssh - do not advertise password login method when it is disabled;
  • ssh - make login process asynchronous;
  • switch - disable EEE on RB5009 and CCR2004-16G-2S+ devices;
  • switch - updated switch-marvell.npk driver;
  • system - fixed total memory reporting on hAP be3 Media;
  • tr069 - fixed modem extended revision reporting;
  • upgrade - added the option to configure HTTP/HTTPS modes when connecting to MikroTik upgrade servers;
  • upgrade - changed status message for scheduled installs;
  • upgrade - check for available packages when opening System/Packages in GUI;
  • upgrade - use HTTPS by default when connecting to MikroTik upgrade servers;
  • usb - added ax88179_178a driver;
  • usb - improved USB Ethernet adapter recognition;
  • usb - show USB device reported maximum power;
  • vxlan - improved system stability for TILE devices;
  • webfig - added support for filter in tables;
  • wifi - fixed bridge VLAN configuration for multi-link interfaces;
  • wifi - fixed EAP authentication for multi-link clients;
  • wifi - improved link-specific parameter application after reboot for multi-link interfaces;
  • wifi - improved stability during association;
  • wifi-mediatek - fixed multicast-enhance functionality;
  • wifi-qcom-be - fixed forwarding of 4-address data from station to station;
  • wifi-qcom-be - fixed incorrect channel info for punctured channels;
  • winbox - added comment for DHCPv6 relay;
  • winbox - added group numbers for DH and PFS groups for IPsec;
  • winbox - fixed Remote AS setting under the Routing/BGP/Connections menu;
  • winbox - fixed Src/Dst Address Type under the IP/Firewall/NAT menu;
  • winbox - improved Routing/PIM SM menu;
  • winbox - move bridge IGMP Snooping checkbox to IGMP tab;
  • winbox - rename DHCPv6 server binding "Peer Address" to "Client Address";
  • winbox - show "External Antenna Selected" field only when "auto" selected;
  • winbox - updated socksify icon for firewall NAT rules;
  • www - added partial content (HTTP 206) support;
  • www - improved system stability;
  • zerotier - upgraded to version 1.16.0;

To upgrade, click Check For Updates under System/Packages menu and select the development Channel in RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

  • Everything went smoothly
  • I encountered an issue after the update (please post about the device, configuration, and unexpected symptoms)
  • I encountered an issue, but solved it (please post the solution)
0 voters

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

2 Likes
FEATURE REQUEST: HTTP/2 support into DoH
RB5009UG+S+ Performance Issues w/ ether1 2.5G
Quad9 to drop support for HTTP 1.1
Ipv6 pool : change prefix when address is based on?
3
  • dns - added HTTP/2 support to DoH on ARM64 and x86/CHR devices;
    sweet!! :grinning_face:
4 Likes
4

Would love to see this come to the CCR2216 as well.

2 Likes
5

Great..., getting closer and closer to 7.23.5...

6

Receiving lots of these in log:

2026-03-16 13:28:43 ssld,error ssl: close notify received, cert store:

What is that about?

7

Nice.

Is implemented also on other devices on future, or there is no hope?

3 Likes
8

disk - added "/disk" smart-info;

can somebody confirm if that’s including the NVME health which isn’t standard smart?

I’ve been hoping for them to add extra rose features… but if it’s stable. I guess it’s stable

9

it's nice to finally have file copy function. Is there a chance to have recursive copy and archive mode (copy only newer) in the future?

10

*) ipv6,ra - added router-advertisement-route-distance setting;

Yes!

2 Likes
11

Looks like this is caused by sending e-mail (/tool/e-mail/send ...).

12

Version 7.23 beta2 still has random routing stuck issues. Routes aren't visible in Winbox's IP/Route or CLI's /routing/route print. Supout and video evidence have been submitted under ticket SUP-209164

13

Whenever i send email i get error:

ssl: close notify received, cert store:

Emails send just fine regardless, is this some kind of bug or im supposed to do something about this?

14

anyone managed to configure dns4eu successfully on this version ?

1 Like
15

Yep…

/ip dns
set allow-remote-requests=yes servers=86.54.11.100,86.54.11.200,2a13:1001::86:54:11:100,2a13:1001::86:54:11:200 
use-doh-server=https://unfiltered.joindns4.eu/dns-query

So far it just works :slight_smile:

16

/system/package/update> check-for-updates
channel: development
mode: https
check-certificate: yes
ip-verson: auto
installed-version: 7.23beta2
status: ERROR: IPv4: ssl: crl not found for: "CN=mikrotik.com" (6)
IPv6: ssl: crl not found for: "CN=mikrotik.com" (6)

17

Will the container management apps like Portainer , Dockage, and Komodo allow installation of containers?

There are some containers that I cannot install using the container module. Having the ability to install them via a management app would be great. Karakeep and MeTube are two examples.

1 Like
18

Can you set this per interface?

20

Ditto for the CRS520

1 Like
21

Sadly, there is no split-up of the wifi-qcom-ac package. :cry: Waiting for 7.24.

2 Likes
22 
/ipv6 address
add address=::1 from-pool=digi-pd interface=vlan188

/ipv6/address/print 
13   G 2a02:xxxx:yyy:zz00::1/64          digi-pd    vlan188     main  yes

00 !! thank you!