V7.24beta [development] is released!

Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.24beta3 (2026-Jun-19 14:02):

• app - added "HF_TOKEN" env to openwebui;
• app - added "network-outgoing-access" parameter which does not allow app to make outgoing connections;
• app - added hermes-agent;
• app - allow "reset" even if disk not configured;
• app - allow setting "working_dir" in app YAML;
• app - fixed "reset" not working with certain apps;
• app - fixed apps not updating firewall redirects when changed in YAML;
• app - fixed apps sometimes getting stuck on "waiting for layer";
• app - only generate secrets for enabled apps;
• app - removed healthcheck from opencloud-extended-collabora;
• app - resolved issue where duplicate swaps are created;
• app - show CHR's address instead of the container's;
• bgp - improved stability when receiving malformed packets;
• bridge - added scheduling point during VLAN processing to prevent soft lockups when flushing FDB over large VLAN ranges;
• bridge - fixed local static host entries (additional fixes);
• bridge - fixed MLAG MAC address handling issues related to aging, flushing and moving;
• bridge - fixed stuck MLAG session when using mismatched L2MTU (introduced in v7.23);
• bridge - temporarily reverted ARP inspection and IP source guard support (introduced in v7.24beta2);
• certificate - use AES encryption when exporting certificates in PKCS#12 format;
• console - added comparison operators for array type;
• console - fixed issues with multi-argument properties (introduced in v7.24beta2);
• console - renamed "reauth-timeout" to "reauth-period" in "/interface/dot1x/server" (backwards compatible via deprecation);
• container - added "save" command to allow saving container images;
• container - added "swap-current" usage;
• container - added "swap-max" global and per-container limit;
• container - added ability to run containers in privileged mode;
• container - added initial support for RKE2;
• container - fixed container "devices" override to appear under "/dev";
• container - improved layer size calculation to avoid potential loops;
• discovery - added "last-breath" feature (additional fixes);
• disk - resolved issue where storage device may change information upon reboot;
• ethernet - fixed stability issue for Chateau PRO ax devices;
• ethernet - fixed stability issue for devices with Alpine CPU;
• ipsec - fixed policy move handling;
• ipsec,ike1 - fixed negotiated PFS validation;
• ipsec,ike2 - improved PPK handling by always using it when authorized, including additional Child SAs, and moved PPK processing to the Child SA task;
• ipsec,qkd - moved QKD to "/system/keymat-provider" menu and made it a generic key material provider;
• ipv6,ra - fixed prefix invalidation (additional fixes);
• leds - added dark mode support for hAP ax2, hAP ax3, hEX refresh, hEX S (2025), hAP ax S and Chateau ax devices;
• leds - fixed missing wireless LED configuration (introduced in v7.21);
• lte - enabled AT registration unsolicited event reporting for EG25-G and EC25-EU boards;
• lte - fixed cases where EC25-EU and EG25-G boards would receive packets with missing last 4 bytes;
• lte - fixed IPv6 RA handling for multiapn non-primary interface;
• lte - limit IPv6 prefix lifetime only when lifetime is advertised as infinity (additional fixes);
• netwatch - fixed an issue with DNS probe "timeout" parameter;
• netwatch - fixed HTTP GET probe over IPv6;
• poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
• poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);
• ppp - fixed cases where BG77 or BG770 firmware upgrade was not available;
• ppp - improved "info" command for BG77 and BG770 modems (additional fixes);
• routerboard - renamed "ipq53xx" firmware type to "ipq5300";
• supout - added LTE eSIM section;
• upgrade - prevent package scheduling from interfering with the upgrade feature;
• wifi - updated radio regulatory information;
• wifi-mediatek - improved channel switching;
• wifi-qcom - fixed connectivity after interrupted DFS channel availability check (introduced in v7.24beta2);

What's new in 7.24beta2 (2026-Jun-10 10:44):

• app - allow HTTP for Gitea when "check-certificate=no";
• app - fixed home-assistant default config files;
• app - fixed making empty directories when running configuration export;
• app - make secrets sensitive to avoid polluting configuration export;
• bgp - fixed advertisement print handling by "dst" when destination is in VRF;
• bgp - fixed EVPN label corruption and correct EVPN type-5 output;
• bgp - fixed IPv6 End-of-Route processing;
• bgp - improved stability on MP (multiprotocol) parsing;
• bgp - removed "save-to" from "resend" command;
• bgp-vpn - fixed blackhole route export;
• bridge - added ARP inspection and IP source guard support;
• certificate - always use all trust stores for downloaded CRL validation;
• certificate - general improvements in certificate handling;
• console - fixed argument mappings in "do" block for monitor commands;
• console - fixed missing comments in scripts (introduced in v7.24beta1);
• console - fixed proplist order in monitor commands;
• console - fixed quoted input issues for multi-argument properties;
• console - fixed UTF-8 comparisons on some architectures;
• console - improved "print detail" mode;
• console - make execute non-blocking when file parameter is used (introduced in v7.24beta1);
• container - fixed missing config.json issue when upgrading from version 7.20.8 or older;
• defconf - set "configuration.dtim-period=3" for WiFi;
• defconf - use "add-dns-entries=yes" on devices with DHCP server;
• dhcp - fixed processing of DHCP options that are longer than 255 bytes;
• discovery - added "discovery" logging topic (additional fixes);
• discovery - added "last-breath" feature;
• disk - added "last-seen" property that displays disk model and serial when removed;
• disk - added error message when disk state transitions from good to bad;
• disk - avoid reading SCSI stats all the time to allow disks to go to sleep;
• disk - improved error message when a swap file is created without "file-size" specified;
• ethernet - removed "1G-baseT-half" link mode on RTL8367 switch;
• fetch - added option to force HTTP/2 only (only for ARM64 and x86/CHR devices);
• interface - fixed duplicate MAC warning for wireless, wifi, macsec, w60g interfaces (introduced in v7.23);
• ip-service - show service name for "l2tp";
• ipsec,ike2 - fixed active connection termination;
• ipsec,ike2 - fixed SA payload validation;
• ipsec,ike2 - improved pending child SA cleanup and removal of dangling SAs during Phase 2 deletion;
• ipv6,ra - correctly process RAs advertising previously expired prefix;
• ipv6,ra - fixed prefix invalidation;
• isis - fixed missing "l2.lsp-refresh-interval" parameter;
• l2tp - allow fragmentation of large IPv6 packets;
• l3hw - added HW offloaded VRF support on 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98CX8410 switches (additional fixes);
• leds - added dark mode support for L009;
• lte - cap IPv6 prefix lifetime for ipv6-interface;
• lte - do not add extra /128 IPv6 address for ipv6-interface;
• lte - limit IPv6 prefix lifetime only when lifetime is advertised as infinity;
• lte - make modem MAC persistent for R11e-LTE6 and R11l-LTE7 modems;
• lte - remove site local DNS for ipv6-interface;
• netwatch - fixed issue where ICMP probes did not accept TTL exceeded packets when "accept-icmp-time-exceeded" was enabled;
• netwatch - increased maximum packet size to 65535;
• ospf - added missing interface parameters (additional fixes);
• ospf - allow comments on static interfaces;
• ospf - fixed interface passive flag update in WinBox;
• ospf - fixed unresolved route problem when "routing-table" setting is used;
• pimsm - make "hash-mask-length" parameter naming consistent and fixed typos;
• poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
• poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);
• ppp - disable/enable modem radio state depending on ppp interface state (additional fixes);
• ppp - fixed ppp-out stability issue (additional fixes);
• ppp - improved "info" command for BG77 and BG770 modems;
• ppp - only show pin in export with "show-sensitive" flag;
• route - allow to add route with link-local destination address;
• route - fixed memory leak when flapping addresses or interfaces with routing protocols running;
• route - fixed static route flag handling by WinBox on disable;
• sftp - fixed branding package upload;
• switch - increase "ingress-rate" and "egress-rate" maximum value to 400G;
• traffic-generator - fixed injecting pcap/pcapng files on MIPSBE architecture;
• tunnel - fixed stability issue caused by a misconfigured routing loop under bridge (introduced in v7.22);
• vrrp - fixed stability issue when "sync-connection-tracking" is enabled;
• wifi - improved roaming/steering behavior for WiFi 7 MLO (additional fixes);
• wifi - upgraded wifi-qcom driver;
• winbox - added "Network" configuration menu for WiFi;
• winbox - added missing values to "AFI" setting under "Routing/BGP" menus;
• winbox - fixed "Connection Bytes" field under "IP/Firewall" menu;
• winbox - fixed "EC/IO" scaling for LTE interface;
• winbox - fixed empty value in "Immediate Gateway" under "IP/Routes" menu;
• winbox - fixed value unset under "MPLS/LDP Neighbor" menu;
• winbox - fixed WinBox v3 stability issue when Netinstall package is enabled (introduced in v7.24beta1);
• winbox - move "EAP" under "Security" tab for WiFi;
• winbox - show priority bits in "VLAN ID" field under "Tools/Packet Sniffer" menu;
• wireguard - fixed peer recreation on interface change;
• x86 - fixed IRQ displaying per CPU on Intel 700 series NIC;

What's new in 7.24beta1 (2026-May-26 13:47):

• adlist - improved service stability when adjusting adlist configuration;
• app - added inventree, opencloud, opencloud-extended apps;
• app - changed pmacct-netflow YAML;
• app - use randomly generated secrets in new apps;
• bfd - fixed delay on session print;
• bgp - added option to add BGP VPLS created interfaces in interface-list;
• bgp - fixed memory leak;
• bridge - added "querier-uses-bridge-address" setting to use bridge source IP address for IGMP querier;
• bridge - added DHCPv4 snooping IP binding table;
• bridge - fixed local static host entries;
• bridge - fixed stability issue when using DHCPv4 snooping;
• bridge - improved STP bridge and port priority settings (warn when a non-compliant value is used and allow selecting a value from a list);
• btest - added VRF support for bandwidth-test and speed-test;
• certificate - added "acme-renew" command;
• console - added "days" to scheduler;
• console - added "in" and "has" operators for Array types;
• console - added "order-by" parameter to "print" command, allowing sorting by up to three arguments in ascending or descending order;
• console - added log tracing when scripts fail to start due to permissions;
• console - do not terminate self-removing scripts;
• console - fixed "print follow on-event" script runner command not showing all argument values in some cases;
• console - fixed script import/export with empty "policy" setting;
• console - fixed stability issue in full-screen editor;
• console - improved script handling and error logging when running scripts from external sources (e.g. DHCP, SNMP, netwatch, hotspot);
• console - make "mac-auth-password" sensitive in "/ip/hotspot/profile";
• console - make "password" sensitive in "/system/package/local-update/mirror";
• console - produce runtime errors for bad command parameters;
• console - prompt about and offer to stop already existing serial terminal session when opening new one;
• console - rename "address" to "available-from" in "/ip/service" (backwards compatible via deprecation);
• console - restrict editing comments in WiFi registration table;
• container - do not allow starting with empty default DNS list and no DNS override;
• container - do not print environment variables in log on container startup;
• container - fixed "start-on-boot" not retrying on certain startup errors;
• container - improved support for containers;
• container - reduced writes to flash when running health check;
• container - use env "TERM=xterm" if no TERM variable provided when running shell;
• dhcpv4-relay - fixed stability issue when creating duplicate relays;
• dhcpv4-server - do not reset "class-id" parameter when lease loses "bound" status;
• dhcpv6-relay - fixed non-working relay when adding from WinBox;
• dhcpv6-server - fixed invalid flag;
• discovery - added "address6" column to default "/ip/neighbor" print view;
• discovery - added "discovery" logging topic;
• discovery - improved service stability when sending discovery packets on interfaces that have hundreds of IP addresses;
• disk - added "raid-scrub-cancel" command;
• disk - do not consider USB drives as self-encryption capable;
• disk - fixed "smart-info" not showing information on certain storage devices;
• disk - limited maximum swap size to be no more than 10x of device RAM;
• ethernet - fixed stability issue with TSO on Alpine CPUs;
• fetch - added "ip-type" parameter;
• fetch - fixed false "bad request" response when trying to fetch URL with IPv6 address in it;
• fetch - hint file list for "src-path" and "dst-path" parameters;
• hardware - rename "max-power" to "manufacturer-reported-max-power";
• iot - added LoRa keep alive logic for UDP protocol;
• iot - added missing LoRa US radio plans;
• iot - added Wiliot USB dongle support;
• iot - allow maximum Modbus "timeout" property to 10 seconds;
• iot - monitor LoRa worker state (watchdog);
• iot - pass Wiliot certification;
• ip-service - remove reverse-proxy for SMIPS;
• ipsec,ike2 - improved KE generation validation during initial setup and child SA creation;
• ipsec,ike2 - improved logging when remote ID is specified;
• ipsec,ike2 - improved TSi validation to prevent modecfg address conflicts;
• ipv6 - added "status" column to default "/ipv6/neighbor" print view;
• ipv6 - do not disable IPv6 FastPath when Traffic Flow is enabled;
• ipv6,ra - changed default "router-advertisement-route-distance" to 1;
• ipv6,ra - use lowest value between IPv6/Pool and IPv6/ND/Prefix/Default as dynamic prefix lifetime;
• l3hw - added HW offloaded support for VLAN interfaces created directly on Ethernet for CRS8xx series switches;
• l3hw - added HW offloaded VRF support on 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98CX8410 switches;
• leds - improved interface stats activity for devices with Marvell Prestera switch chip;
• lte - fixed EC/IO scale in CLI and GUI;
• lte - fixed EC25-EU, EG25-G traffic to 67 UDP;
• lte - fixed third-party modems ICCID decoding for eSIM;
• lte - improved Cinterion PLS8-E roaming;
• lte - improved deregistration handling for AT modems;
• lte - improved system stability when no APN specified;
• lte - removed extra restart after firmware upgrade for EC200A-EU modem;
• lte - report short cell ID in 3G network mode also for AT modems;
• lte - restrict incoming calls for FG621-EU;
• lte - show "+CME ERROR: 10" as "SIM not present";
• lte - show "data-class" in LTE monitor instead of "access-technology" also for 5G AT modems;
• lte - show "primary-band" instead of "earfcn" in LTE monitor also for modems without CA support;
• lte - show RSCP and EC/IO parameter in 3G network mode for R11e-LTE6, R11l-LTE7 and FG621-EA modems;
• mesh - fixed missing FDB entries from wireless ports;
• mpls - added ICMP time exceeded handler for IPv6;
• mpls - make FastPath work with expl-null;
• netinstall - added Netinstall package;
• netinstall - improved architecture detection;
• netinstall-cli - added "help" parameter;
• netinstall-cli - added "reboot" and "shutdown" flags to control reboot after installation;
• netwatch - fixed inaccurate "rtt-stdev" value;
• ospf - added missing interface parameters;
• ospf - force passive for VRF interface;
• pim - added comment for "/routing/gmp" entries;
• poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
• poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);
• ppp - added "MT-Address-List" to IPv6 address list when received from RADIUS and using DHCP for IPv6 configuration;
• ppp - disable/enable modem radio state depending on PPP interface state;
• ppp - fixed ppp-out stability issue;
• ppp - improved OVPN underlying SSL connection management;
• ppp - report actual network data usage statistics instead of "0" for all IPv6 RADIUS accounting parameters on accounting "Stop" packet;
• queue - fixed "undo" command for simple queues;
• rip - do not export authentication keys by default;
• route - fixed potential race condition;
• route - improved overall stability;
• route - removed deprecated "/routing/route/rule" menu;
• route - respect the "interface" property when pinging IPv6 addresses over ECMP;
• sfp - fixed linking for hAP ax S and hEX S (2025) with "1G-baseX" link-mode;
• sfp - removed unsupported "2.5G-baseX" speed on CRS312-4C+8XG and CRS326-4C+20G+2Q+;
• sms - added some GSM7 symbols to SMS tool;
• ssh - added mlkem768x25519-sha256 key exchange support;
• ssh - do not attempt automatic empty password login when RADIUS is used;
• ssh - fixed SSH tunnel with IPv6 link-local address on non-ethernet interfaces;
• ssh - make SSH packet validation more strict;
• supout - added interface monitor-traffic;
• switch - fixed IEEE reserved MAC handling for CRS1xx, CRS2xx switches;
• switch - fixed rare possibility of tx-timeout or simultaneous flap of all switch ports on devices with Alpine CPUs;
• system - rename "factory-software" to "minimum-version" and "factory-firmware" to "minimum-firmware";
• system - restrict RouterOS processes using swap;
• system - show who is using "/system serial-terminal";
• vpls - added transmit loop detection;
• vrrp - added "v3-checksum-as-v2" setting;
• vxlan - fixed missing L2MTU property when VRF is specified;
• vxlan - ignore disabled interfaces when checking for configuration conflicts;
• webfig - fixed issue with increasing keep-alive traffic;
• webfig - improved underlying encryption and stability processing;
• webfig - improvements to graphs;
• wifi - added "Preamble Puncturing" under "WiFi/Channel" menu;
• wifi - added dash when CAPsMAN generates interface name and prefix ends with digit;
• wifi - improved regulatory compliance;
• wifi - improved roaming/steering behavior for WiFi 7 MLO;
• wifi - improved stability;
• wifi - improved station-bridge mode;
• wifi-mediatek - fixed broken interfaces on startup;
• wifi-mediatek - fixed some channel definitions for certain countries;
• winbox - added "Preferred Architecture" setting for L009;
• winbox - added "SIM PIN" under "Tools/SMS";
• winbox - fixed "Use Ipsec" and "Ipsec Secret" under "Interfaces/L2TP Ether" menu;
• winbox - fixed sort for "Address List" under "IPv6/Firewall" menu;
• winbox - make LoRa "Auth key" and MQTT "Password" sensitive;
• winbox - show "Any. Port" column by default under "IP/Firewall" menu;
• winbox - show preferred and valid lifetime of IPv6 address also on static IPs;

To upgrade, click Check For Updates under System/Packages menu and select the development Channel in RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Please, explain...

Thanks.

C52iG-5HaxD2HaxD [ HDM08KMKBP9 ]
7.23 -> 7.24beta1 [not netinstalled but before upgraded from ??? (not remember) -> 7.23rc1 -> 7.23rc2 -> 7.23 (stable) ]
locked after update
(that is, it is clearly turned on but it does not transmit wifi, nor does it respond IP/MAC on all ethernet ports, it only gives the link)
power unplugged and re-plugged work again normally
I didn't find any notable differences between export 7.23 and 7.24beta1

no errors on log, only "system,error,critical router rebooted without proper shutdown, probably power outage"

Added "Keep apps" on reset? I hadn't noticed...

Thank you!
@CGGXANNX will be happy too.

And I?

Oh, good, I was waiting for that one.

wondering what this is for.

*) l3hw - added HW offloaded VRF support on 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98CX8410 switches;

After the release of the CRS8xx I was not expecting to see major new L3HW functionality being released for the CRS3xx switches.

Thanks Mikrotik !

Yes... No...

factory-software -> minimum-version -> minimum-ros-version
factory-firmware -> minimum-firmware -> backup-rboot-version
(also because on setting is force-backup-booter "Force Backup Booter", not "Force Minimum Firmware" or "Force Factory Firmware"

Coherence?

I understand the point of the change,
but since most people don't know the difference between software and firmware as understood in RouterBOARD,
it's better to clearly specify RouterOS and RouterBOOT....

Is it possible to do the same for ARM, especially for devices with 16MB ROM like the Hap AC2?

Couldn't agree more, nicely done Mikrotik!

For netinstall from one compatible device to anyother needed?

If I’m right, it’s going to obsolete both my Linux VM scheme and the container alternative.

And I’m more than okay with that!

Hats off to you MT for the HW Offloaded VRF Support, how about VTI IPSEC support please thanks!

Thank you for these:

However, with this version, there are 3x-4x more "garbage" content that /export or /app/export produce on a test setup that uses no apps!

image1078×657 46.6 KB

Probably due to this change:

But none of the apps have ever been enabled!

• console - added ability to turn automatic TABs replacement off

Still hoping to see this in a changelog...

Well, that's pretty vague....

I think this could fix my observations.

Frankly, I never thought something useful would come from that wild discussion. I'm glad that you're listening!