Has anyone got advice on when (and when not) to upgrade routeros? In particular ROS7 as there is no “long term” version of it yet and the stable releases have not always been so, well, stable.
I’m on 7.10 and can’t really see much in the changelogs that improves my little home setup of one Hex (RB750GR2) and 4 various mikrotik boxes working as simple access points)
My primary concern is really security and stability and for the most part my Mikrotik kit has been really good (although it took me a long while to get wifi nicely set up and i dropped capsman from the equation for performance reasons)
What I really want is some form of “you really need to upgrade” notification for critical vulnerabilities (I do subscribe to announcements on these forums so hopefully that might cover the big ones)
(I’m still amazed that my old hex from 2015 is capable of moving 850 Mbit/s and running latest software so well done Mikrotik team!! AND it runs wireguard )
thanks @mkx
I understand the long term issue , but given the current situation with 7 how might it best be handled?
at the moment I try to read the changelogs in the announcements and see if anything pertinent or vital has been fixed/improved/changed. Then i watch the forum for at least a week, preferably two (or more) to see what issues come up. At that point its a “best guess” as everyone’s setup is different but as mine is not complex then I often figure I’m relatively low risk. Generally I’ve had good luck but wondered if there as any other advice (or just not upgrade on the basis that if it ain’t broke don’t fix it
I need 7 for wireguard and I seem to recall there were a number of other very relevant features that came with the move to the new kernel.. poss ipv6. ROS7 does seem to be taking a long time to get stable but I can appreciate that its a balance between features and stability… opposing forces
@en1gm4 IMO you understand the RouterOS environment well and already practice the best strategy possible.
Asking MikroTik to release software like enterprise vendors requires they raise prices to become an enterprise vendor.
@en1gm4
I’m kind of in the same boat. My main router here at home is a RB4011iGS+ that is running 6.49.8. I have been watching ROS 7 for about a year, but currently have no real NEED to upgrade to it. I also would like to play with WireGuard, but it’s not a need for me. I will be off work for the next couple months due to knee replacement surgery, so I will have a lot of time available. Somewhat expect to do the upgrade to ROS 7 later in my recovery.
@en1gm4 my comfort zone improved tremendously when I learned how to downgrade RouterOS.
Conceptually simple and astonishingly poorly documented falling into information class known as: Intuitively obvious but only if known. It’s right there with learning how mouse and GUI work.
I admit once learned a complete document won’t be used much thereafter.
@ConradPino
Thanks, I’m comfortable with downgrading if needed (only had to once though. and one netinstall which was a bit of a pain but worked
And yes, MT documentation continues to be their weak point, I hope they manage to solve it (maybe AI will help in future
All things considered MT is pretty amazing and I’m glad I made the jump some years ago. Sadly its a bit too complex to recommend to friends without them having some fairly deep tech skils and many who do have those skills will choose either the safe Cisco route or Pfsense. Small home users are not MT’s market though.
@k6ccc
If it helps, I have found ROS7 really pretty good and stable. I was using capsman but eventually gave up for performance reasons. I set up an IPv6 tunnel via hurricane electric which worked great apart from geolocation so sites always thought I was in the US (I’m in the UK) which was irritating and broke things (like the BBC). I had FQ Codel running really well on my slower broadband (50/10) but with the move to fibre my Hex could not keep up so that got turned off (and not really needed) Wireguard has been rock solid for me after a little learning. I even tried having different SSID’s connected to different VPNs sot I could change “locations” easily… amazing power in these things. My config is really simple now though. just DHCP, NAT and stock firewall mostly plus Wireguard (DNS is handled by pihole) so i guess I avoid the challenging areas of the code for the most part. Good luck with op/recovery and have fun with the upgrade
and right on queue 7.11.1 has been released so it’s upgrade time.
I’m using an RB5009 with ros 7.9.2 in production and it seems to work okay. Coming from the RB4011 on v6. But it all depends on the config you’re using.
sigh… and hours after I installed 7.11.1 they released 7.11.2 due to a dhcp server error that crept in.
isn’t that always the way
I do often remind myself though that no other “home” equipment would get anywhere near this level of updates for years (for eco reasons alone people should be buying mikrotik!)
I’d like to hear that from MT themselves. There are certainly a strong group of prosumer/lab/hobbyists but I suspect the core is SME, small wisps, and price sensitive markets.
It’s still too complicated for most users to set up.
(And full disclosure I’m ex Cisco from a long time ago so have been at IP for a long time)
I created my HE tunnel Aug 26, 2012; welcome to the club. Can I safely presume you connect to the London tunnel servers?
Yes, I used London. The geolocation was all over the place depending on the provider. Weird as HE had correctly registered all the /64s as London apparently.
Ipv6 worked well and was fast for the limited testing I did.
A little late, but here’s some key advice from my (recent) experience…
Do updates only when you have enough time to find and fix problems that may arise. Thirty minutes before a big Zoom meeting? Bad time! I’d suggest blocking out no less than an hour, maybe more if you have a complex setup. If everything works out you have an hour to browse social media or whatever. If it doesn’t work out you hopefully have enough time to figure out what’s going wrong and at least put a temporary work-around in place.
I say this because I just did the upgrade from 7.11 to 7.11.2 and found some stuff broke including the ability of a container running pi-hole from accessing the router. (ping 192.168.88.1 from the container shell fails — which explains why it couldn’t get answers back from the Mikrotik DNS running on the router) This was a pain, but not fatal — that’s exactly why I run a backup on a physical raspberry pi in fact. I’m still working on the solution to this, but in the meantime I have spun up two different containers with seemingly identical config (save different IPs assigned to their respective VETH interfaces) and they’re both working fine.
Worse was apparently something changed in the way functions accept literal arguments, or at least quoted strings. I have a globally defined function for push notifications that gets used in practically all my scheduled scripts. After the update, with zero changes, it was failing. That prevented any of the scripts calling it from running. So obviously I just disabled them all and manually performed those functions until I was able to fix the scripts. This took the bulk of my time — roughly 30 to 45 minutes, mostly because I couldn’t figure out what was wrong until I opened up the command-line
/container/edit <script-name> source
and saw the syntax highlighting, which had formerly been 5x5, was showing a bunch of errors.
Thanks. That’s great advice. You clearly are quicker at figuring out issues than I am. I’d be more inclined just to reverse the change and wait for someone like you to figure out the problem I’ve never quite got the hang of scripts and run my pihole separately. (One day I’ll get a grown up router and run it there though)
Not great to see such relatively straightforward things (scripts… containers are perhaps another story) break going from only 7.11 to 7.11.2 though. It does seem that code is still fragile in places.
P.s.. I also learned to check with my kids before an upgrade! Messing up the network during a big gaming session or important chat is going to get you in big trouble
Upgrade a capsman installation and then leave the day after for holidays for 2 weeks. Also a no-no.
(I didn’t do that, waited to return before doing the upgrade)
I also have a RB4011 and have upgraded it some time ago, but it has been an interesting ride. Sometimes fatal errors in the v7 “stable” versions (e.g. 7.11) required me to roll back to have a functioning router again. Lately, “stable” versions are released with bugs that one would expect to be found in testing.
Fortunately the 4011 has ample flash storage. You can partition the router (2 partitions), copy the active version to the second partition, upgrade, and when there are issues you can make the other partition active and reboot to instantly return to the previous version.
I also use that at every update, so I could revert out of the 7.11 disaster easily. The issue there was that it wasted me a lot of time and aggravation to even discover that the RouterOS upgrade was the cause of my issues.
