WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.Is there a specific reason why
multi-passphrase is not supported for the WPA3-PSK authentication type.
Will it be supported in future releases?
😭WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.Is there a specific reason why
multi-passphrase is not supported for the WPA3-PSK authentication type.
Will it be supported in future releases?
I want only broadcast two SSIDs guest and locals (locals has several VLANs and assignment is according to MAC, now PPSK).You are doing VLAN separation. Every smart device must have some kind of app or a way to select SSID and input password. So just input password you specified for that VLAN and thats it
Easier for the user, what they are used to.Why two ssids ? Just put guest on separate VLAN, assign them password and that's it.
PPSK gets me back to here, WPA3 and alternative way doing PPSK😭
WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.
So there any option to do the vlan separation based on PSK or similar?
Wondering how to deal with the headless devices which can be assigned to an VLAN easily now (with PPSK).
[...]WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.multi-passphrase is not supported for the WPA3-PSK authentication type.
I believe you can do WPA3 and EAP using the user-manager package. You'd have to enable EAP in Wi-Fi, but you'd can keep WPA3. Since user manager let you set a VLAN (excluding wifi-qcom-ac), it be based on the "user" & "password" in EAP & those could map to in similar PPSK scheme (one user per vlan). As bonus, you'd have more control down to a specific user-level if desired, and without more SSIDs broadcasting.PPSK gets me back to here, WPA3 and alternative way doing PPSK
would that a mix if WPA2 and WPA3?[...]
WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.I believe you can do WPA3 and EAP using the user-manager package.PPSK gets me back to here, WPA3 and alternative way doing PPSK
+1 this request. Is this newly broken, or has it never worked?fischerdouglas compilation
Code: Select allLets talk about Hardware Offload? When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?
From mikrotik help+1 this request. Is this newly broken, or has it never worked?fischerdouglas compilation
Code: Select allLets talk about Hardware Offload? When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?
Pretty please, Mikrotik, this is such an important feature.
wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷♂️ )From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.
viewtopic.php?t=211511wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷♂️ )
Unfortunately, L3HW doesn't support VRF yet. The hardware (switch chip) supports it, but the feature has not yet been implemented in RouterOS. There are plans to add VRF L3HW, but I cannot share the ETA at the moment of writing.
They definitely are able to.wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight )From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.
I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.
thanks for the linkviewtopic.php?t=211511wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷♂️ )Unfortunately, L3HW doesn't support VRF yet. The hardware (switch chip) supports it, but the feature has not yet been implemented in RouterOS. There are plans to add VRF L3HW, but I cannot share the ETA at the moment of writing.
Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)
The Marvell based platforms are a very small part of their entire portfolio, and FastPath will benefit a lot more devices than just L3HW. Both are needed to deliver the best outcome for Mikrotik's customers.
Not to mention the long overdue IPv6 FastPath module.
I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)
The Marvell based platforms are a very small part of their entire portfolio, and FastPath will benefit a lot more devices than just L3HW. Both are needed to deliver the best outcome for Mikrotik's customers.
Not to mention the long overdue IPv6 FastPath module.
They should aim to keep up to date with kernel and sdk versions else we have situation like we did from ros6 to ros7 taking years as well as wifi6 takingI would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.
Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.
I sincerely doubt they will have the will and courage to do that any time soon.
Well, they are using a fairly recent kernel - and the V7 series already had one kernel change. So, I think they learned their lesson with V6, and things are more decoupled this time.I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.
I sincerely doubt they will have the will and courage to do that any time soon.
How u checking kernel version?Well, they are using a fairly recent kernel - and the V7 series already had one kernel change. So, I think they learned their lesson with V6, and things are more decoupled this time.I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.
I sincerely doubt they will have the will and courage to do that any time soon.
How u checking kernel version?
/system/resource/usb
0 1-0 Linux 5.6.3-64 uhci_hcd UHCI Host Controller 12
Easy Peasy just become a valued investor. ;-)a roadmap would be nice (*wishful thinking*)
True - but is far from ancient. I said "fairly", I didn´t say "brand new". As long as Mikrotik keeps up with security patches - and backport them to this version - things will work.Well, 5.6.3 is from 2020-04-08. IMHO that is far from recent.
I am sure a XKCD comics exists for this.Kernel version have been discussed many times before and like it was mentioned before it is being patched, so you cannot say that it is 5.6.3 in the form as it came out in 2020. Kernel version is updated when it is absolutely necessary or the actual gains are worth the effort.
At this point, I`m convinced there is one XKCD for everything in life.I am sure a XKCD comics exists for this.
What's new in 7.16 (2024-Sep-20 16:00):
*) console - added additional byte-array option to :convert command;
*) console - improved :serialize and :deserialize commands and added support for DSV (delimiter separated values) format;
Thank you @Mikrotik for these!What's new in 7.17beta2 (2024-Sep-27 10:07):
*) console - added to/from=num option for :convert command;
:put "Press 'y' to continue, or any other key to abort"
:if ( [:convert from=num to=raw [/terminal/inkey]] != "y" ) do={ :error "script stopped by user" }
# more code after 'y' key ...
In regards to have a "more advanced" DNS service in a separate package is not a bad idea at all, I like it!!fischerdouglas compilation
Code: Select allHave you MikroTik guys considered splitting the DNS service as was done with the Wifi packages? Separating different things of different interest into Packages? Embedded in RouterOS DNS being just a regular AND SIMPLE DNS relay/recursive. Focused on attending to the requirements of scenarios of home and basic device-modes. An extra dns.npk designed to be a more complex DNS service, with all the more advanced features that already exist on actual DNS, and other ones that were not included because it complicates much of the basic. It would reduce the probability of simple issues affecting a huge number of devices. Would make it easier to do some demands that are a pain to deploy in the current scenario(like VRF on outgoing queries). It would also prevent less experienced users from getting into trouble by messing with settings that don't need to exist in more basic scenarios.
would like to see that to. +1In regards to have a "more advanced" DNS service in a separate package is not a bad idea at all, I like it!!fischerdouglas compilation
Code: Select allHave you MikroTik guys considered splitting the DNS service as was done with the Wifi packages? Separating different things of different interest into Packages? ....
Actually there are a lot of features missing in the DNS service that could be addressed. Users who don't need additional features could stick to the integrated basic DNS service.
Tested on my side, running CCR2004-16g-2S+ on 7.17beta2. No packet loss detected on multiple runs of cloudflare speed test.Can anyone else confirm that the packet loss has increased in 7.17beta2 by comparision to 7.16. I noticed websites failing to load on 7.17beta2 and tested using https://speed.cloudflare.com/. I saw in "Packet Loss Measurements" between 1% to 10% lost packets and never 0% of lost packets. I downgraded to 7.16 and most are 0% of lost packets and the highest lost packets was 0.5% of lost packets.
To me its obvious that 7.17beta2 is loosing packets. I turned off all queues and same results.
Look if DHCP is working. I had devices disconnecting and reconnecting but had in fact an issue with DHCP snooping.Logs full of connection lost for various devices
For example Samsung soundbar not moving inch, standing next to HAP AX3.
disconnected, connection lost, signal strength -24
disconnected, connection lost, signal strength -32
etc..
Also devices sometimes roam from 5 ghz to 2ghz again under for signal for no reason, or even flap around, 5ghz>2ghz>5ghz in like minute while not moving and under full signal (3m from router)
Disabled WPA3, disabled FT, etc, think i tried about everything.
Its same on 7.16 and 7.15...
Reverting to 7.14.3 fixes the problem.
I can not confirm, no any visible packet loss (7.17beta2 cloudflare) on hAP ac^2 IPv6/IPv4 VDSL2 110/25 from Czechia.Tested on my side, running CCR2004-16g-2S+ on 7.17beta2. No packet loss detected on multiple runs of cloudflare speed test.Can anyone else confirm that the packet loss has increased in 7.17beta2 by comparision to 7.16. I noticed websites failing to load on 7.17beta2 and tested using https://speed.cloudflare.com/. I saw in "Packet Loss Measurements" between 1% to 10% lost packets and never 0% of lost packets. I downgraded to 7.16 and most are 0% of lost packets and the highest lost packets was 0.5% of lost packets.
To me its obvious that 7.17beta2 is loosing packets. I turned off all queues and same results.
An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
Try keeping track of this across tousands of remotelly managed devices, it would be chaos. Random factory passwords are already bad enough!An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
i operate hundreds of devices in multiple locations and several countries as an external consultant, some features that will be blocked in 7.17 i use it frecuently so i will have to stay on 7.16 because of this extreme measures
What about us that operate as WISP, ISP or consultants deploying devices and are soon ready to upgrade past 7.17+. Would we then need to schedule maintenance AND truck rolls to touch EACH device in order to properly change device-mode? Or we have to instruct the customers / end-users we need them to perform XYZ steps due to a security rollout? Otherwise, we decide to stay away from 7.17. Hard to stay away, especially when have future wireless enhancements -- AX is broken. [mANTBox 15 ax]
i use traffic gen on a daily basis for performance testing and bandwidth validation i will have to stay on 7.16 because of this being disabled on 7.17, is very expensive to move personel to every site at off peak hours, paying hotel, etc, to do this upgrades and do the procedure to activate this features on production equipmentWhat will you be using traffic gen for, in this remote router? There is no need for theoretic, like I said
We already do. We manage over 7 thousand routers, have daily backups of configuration of each. Adding one more string to the database should take one man-hour with testing by my estimates +/- 30 min.Try keeping track of this across tousands of remotelly managed devices, it would be chaos. Random factory passwords are already bad enough!
An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?
wait, what? So... if attacker gets access to sub 7.17 device they will upgrade to 7.17 to get the token, that will allow them to downgrade? :DMikrotik won't adopt this approach. The introduced the "downgrade" flag so an attacker can not downgrade to an insecure ROS version.
You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away. This is merely a convenience for people controlling thousands of devices. "Normal" users could simply ignore it, and their routers would lockdown after n hours post-upgrade. Resetting this password could be implemented the same way.That's one part I said. Read my full comment and/or don't quote an excerpt which makes no sense standalone quoted.
Well, what is then this whole discussion about when it is all just a "button-push/power cycle" away?You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away.
Well, what is then this whole discussion about when it is all just a "button-push/power cycle" away?You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away.
You can really piss someone's leg really hard by changing device mode to "dumb device" mode when physical access is not easy.
In case it was targeted at me: I have not the guts to try this beta at all. I am done with betas. First and last time I tried was 7.15beta6 and I had to involuntary netinstall because device did not boot up.It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.
Can Mikrotik team say that Kernel version that is used has nothing to do with the inability to do hardware offload of VXLAN, MPLS L3VPN and L2VPN, and several other features?Kernel version have been discussed many times before and like it was mentioned before it is being patched, so you cannot say that it is 5.6.3 in the form as it came out in 2020. Kernel version is updated when it is absolutely necessary or the actual gains are worth the effort.
So you Don't read the forums??It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.
No, I don't read "the forums", the signal to noise ration is too low in many cases. I read selected threads in this forum in search of information and maybe to contribute some information if I just found a way to solve or work around an issue. If you have issues with your stuff, open a support ticket. Once they start working on your bug they might even give you test-firmwares which address just your specific thing. It really works :) In my experience so far Mikrotik are a lot more responsive than what I am used from the likes of Cisco and Fortinet …So you Don't read the forums??It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.
that kind of problem in MPLS/VPLS happen since v6 anywaySpeaking about MPLS / VPLS, did someone try to see if the last versions are still losing packets on CCR2216? As far as I know, it is still an unresolved issue.
* with a supout.rif - even if you think the problem is obvious and easily tested...Creating support ticket is the most effective tool we have.
Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
[admmikrotik@ap70a] > /partitions/activate part0
failure: not allowed by device-mode
[admmikrotik@ap70a] > /partitions/print
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
# NAME FALLBACK-TO VERSION SIZE
0 part0 next RouterOS v7.16.1 2024-10-10 14:03:32 64MiB
1 AR part1 next RouterOS v7.17beta2 2024-09-27 07:07:42 64MiB
[admmikrotik@ap70a] > /partitions/activate part0
failure: not allowed by device-mode
[admmikrotik@ap70a] >
[admmikrotik@ap70a] > /system/device-mode/print
mode: advanced
container: yes
[admmikrotik@ap70a] > /system/routerboard/print
routerboard: yes
board-name: hAP ax^3
model: C53UiG+5HPaxD2HPaxD
serial-number: x
firmware-type: ipq6000
factory-firmware: 7.6
current-firmware: 7.17beta2
upgrade-firmware: 7.17beta2
[admmikrotik@ap70a] > /system/device-mode/print
mode: advanced
container: yes
partitions: yes
[admmikrotik@ap70a] > /partitions/print
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
# NAME FALLBACK-TO VERSION SIZE
0 part0 next RouterOS v7.16.1 2024-10-10 14:03:32 64MiB
1 AR part1 next RouterOS v7.17beta2 2024-09-27 07:07:42 64MiB
[admmikrotik@ap70a] > /partitions/activate part0
[admmikrotik@ap70a] > /partitions/print
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
# NAME FALLBACK-TO VERSION SIZE
0 A part0 next RouterOS v7.16.1 2024-10-10 14:03:32 64MiB
1 R part1 next RouterOS v7.17beta2 2024-09-27 07:07:42 64MiB
[admmikrotik@ap70a] > /system/reboot
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
I hope MikroTik takes this into consideration. This is much better solution for those with NUMEROUS devices that are not within "reach" for a button press. Especially for devices on customer locations as CPE. Or as core routers..... We cant simply truck roll and justify the upgrade past 7.17.ok, the main points of what I was proposing to ease this transition:
On first upgrade to 7.17, or initial power-on or netinstall with 7.17+
- Display or have available (/system/routerboard/get device-token) a secure device token string for a limited period of time (30 minutes)
- The admin can copy this token and record it against the device
- During this 30 minutes the admin can CHANGE the device token (/system/routerboard/set device-token="newSecureToken")
After 30 minutes/Second+ boot
- During this 30 minutes the admin can SET secure device options as needed (downgrade, boot partitions, container use, etc) without being prompted to power-cycle/reset.
- The device token becomes inaccessible (/system/routerboard/get device-token returns null)
- Changing secure device options, including the device-token would require adding the a device-token="..." to the command to enable it without requiring a power-cycle/reboot - this critically enables enterprises/ISPs/SMBs to continue to manage these and any future options without visiting/remotely power-cycling devices
Rational
- The admin can also set the secure device options and device-token without using the device-token, but they will then be prompted to power-cycle or reset in the next 5 minutes
- This would give a 'grace' window for setting options without having to go through the power-cycle/reset procedure
- This would enable enterprises/ISPs/SMBs to record, and/or set their own device token in a way that works with their existing procedures
- For instance, unique device token per device can be recorded in a database using a script to obtain them in the 30 minutes post upgrade
- Or the admin can set a known device-token across a group of devices and have that recorded in a password manager
This will not satisfy everyone, if your device is already compromised, then netinstall it, or 'recycle' it.
- It also allows for the existing set and require a power-cycle/reset procedure
I would hope that it covers the vast majority of needs out there, and allows for easy integration with existing workflows, would work with scripting.
It is constructive, flexible, and I hope, achieves the presumed goal of ESTABLISHING a secure base in-case of FUTURE compromise.
Welcome to the club. This is just the first beta, so I hope MT team changes its mind and choose a better solution for enterprise market.You're right, i've not see this part in doc ; but read in the next section :
List of available properties (table) "container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader. (yes | no; Default: yes, for advanced mode)"
Why disable it after upgrade IF they must be yes for advanced mode ...? don't understand ... mistake ?!
I'm scared about this future 7.17 upgrade... with more than 80 AP dev located on wall or ceiling (sometimes hidden).... this will be a great moment on pleasure with this newly disabled features now. And depending of each building, lot are not powered by real POE but standard PSU with injector.
I think this solution is simple and effective for new equipment.Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
Otherwise, you need to set the device mode to full for all systems, as maybe you need it sometime in the future - it would be more secure to active only the mode you need at the time, but this requires a way to change it at runtime.
I think the QR idea is terribleI think this solution is simple and effective for new equipment.
Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.
Otherwise, you need to set the device mode to full for all systems, as maybe you need it sometime in the future - it would be more secure to active only the mode you need at the time, but this requires a way to change it at runtime.
New deployments aren't as big of a problem as existing deployments, as I can readily enable the device-mode on the bench before putting the device in the field. But yes, if some features provide a measure of security, there are some things we might want to leave disabled until the feature is needed. If they are deployed at a site that is inconvenient (or impossible) to reach at the time, it does make it difficult to enable later without having physical access.... hmmm.Put a QR Code on the router which we can scan and save in our management software before deploying the routers.What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
Yes, you're right. There are many variables to consider. Thanks for clarifying this possible threat ;)I think the QR idea is terrible
I think this solution is simple and effective for new equipment.
That would be an immutable string, that would remain valid for the life of the equipment
That's a big no-no.
In case an emplyee absconds with the company database, or you fire your consultatnt, passwords must be *changeable*
I guess Mikrotik should be more open as to what threat-model they are working from
There could probably be a place for a "RouterOS-FIPS-For-Ukraine" version, so long as it's not forced on existing, unwilling customers...
After reading your post better I agree and hope MT changes its mind about this terrible press button / power cycle idea.No, I believe the easiest way forward is as I've described:viewtopic.php?p=1103228#p1103228
Yes, a new jump version. There shouldn't be many things added to this device-mode, anyway.A jump version is simply a temporary solution, what happens when Mikrotik decide there is a 'new' device-mode setting that can be set? Another 'jump' version?
This is already the case for things like containers. You either unlock it before deploying it remotely, or have to touch it later. So for the existing device-mode options that you have to "physically unlock," this is a moot point.The problem with a jump version is it leaves the admin with a one time only choice, what options do I set? Now if you want to secure the device in case of possible future exploit you should choose the minimum options required. But what do you do if a year down the track you suddenly discover that a device needs to run a container to solve a new problem? Go to the device and set option and power cycle? Trying to avoid this as it is a bad option, as indicated by the large number of comments in this forum.
And that's fine. This whole thing is intended to lock down home devices, once installed and never upgraded. If You take a look at what is affected, all of them have one thing in common: they can be used to insert code to run, use a second partition as a "malware restore backup" and/or run a container with malware inside.Agreed, in the absence of that, then a jump version is better than an automatically locked down device on upgrade (and certainly better than a QR code). But it will lead me, and many others to just fully unlock the device because I never can be sure when I might need one of those features in the future, especially for my remotely controlled devices.
Any way to get more details on this?*) switch - fixed L2MTU for 25Gbps ports;
is there any docs how we are ablte to use this feature? or best-practice?bridge - added interface-list support for VLAN : the best features!!!!
This will simplify VLAN tables!thank you mikrotik.
100% Agree with you here mate also it should be able to fix and tweak the parts of the operation to get the devices working correctly as they should not take months and months 27SEPT 3 weeks now to be precise since we as a community have seen anything (come on now mikrotik we need fixs more often not weeks apart we would like to use the devices )This is all fault of MikroTik's leadership and decision making / vision. This "one product for everyone" agenda for ALL markets.
The device hardware is quite decent, RouterOS is swiss-army knife with full features. This allows multiple use-cases, from homelab - SOHO/SMB/Enterprise/WISP/ISP.....
This is what I've been saying. If MikroTik carved up a few product sets [CHR,CCR,CRS,etc] for the professional/Enterprise - we may not be in this situation with need of this device-lock. This is a kick in the head to those of us that picked MikroTik due to their flexibility and price to use in a business model. Deploying to customers as CPE's. Or us as professionals deploying to customers as a technology solution, or as our backbone. It is not cost effective to truck roll just to touch a device post-upgrade...
I mean... another vendor is getting heat right now for "forcing" SNMP defaults on devices instead of just keeping disabled. However, this other vendor actually listens to professionals. MikroTik -- are you listening and digesting the gravity of decisions? I think its time for a pivot.
I hope MikroTik will let us contrrol this device lock using the outlined suggestion of device token. RouterOS 7 is a hot mess express, also given this drive for RouterOS enterprise which is not at all synonymous - as they're "add-on" packages that do NOT belong on a router.
RouterOS 7 Focus point should be:
-Fixing current issues [Layer3 items, MLAG, AX, Capsman, IPv4, hardware offloading, VLANS]
- AX wireless
- AC qcom driver fixes
- Security enhancements
Winbox4 -- unsure if this was good timing or how many internal resources on this.
Where is MikroTik device controller?
Move ROSE to be actual RouterOS enterprise on enterprise level hardware, strip the storage network protocols. Leave or rename this to a different MikroTik operating system. MikroTik can probably sell different hardware.
MikroTik RouterOS Core [Routing, wireless packages, options like we had in ROS 6]
MikroTik RouterOS Enterprise [Everything]
MikroTik BoxOS [Enterprise ROSE packages for NAS type appliances - the Gavin Belson]
Then to keep with MikroTik's vision for no feature "lock downs" on THEIR hardware. The above OS's can still be installed onto XXX hardware via NetInstall or via package upload.
/interface bridge add add-dhcp-option82=yes admin-mac=**ELIDED** auto-mac=no dhcp-snooping=yes igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge priority=0x1000
try this (or add required ports manually):
/interface/bridge/mdb/add bridge=bridge group=FF02::2 ports=[/interface/bridge/port/find where bridge=bridge]
Long standing issue with certain USB stick brands.My flash drive is mounted in different slots after each reboot.
As you can see, it turns on either in USB 3.0 mode or in USB 2.0 mode.
Model ax3.
server 10.6.100.18
zone sub.network.test
update add hello.sub.network.test 300 A 1.3.3.7
send
MikroTik should offer "unbound" as an optional DNS resolver package (that replaces the internal one when installed), much like in v6 you could install an optional NTP client/server that would replace/upgrade the internal one.so we're far from a "real" DNS server. And, I'm sure others have their own DNS grips.
"unbound" is not "real" DNS server like BIND is for example... it is DNS caching validating recursor and if you need full DNS functionality you should use NSD in addition to be able to provide authoritative DNS services...MikroTik should offer "unbound" as an optional DNS resolver package (that replaces the internal one when installed), much like in v6 you could install an optional NTP client/server that would replace/upgrade the internal one.so we're far from a "real" DNS server. And, I'm sure others have their own DNS grips.
Except then you have no configuration user interface.container and run whatever you like.
It may be possible to squeeze in a minimal unbound when the existing IP->DNS is removed, but frankly I am not that concerned about 16MB devices, I do not buy them to use as routers.unbound does not fit into 16mb flash by far. look at the unbound distroless docker images. The binary has at least 4mb+. given microtik has a lot of stuff developed in house (I am pretty sure they dont use any popular ssl library for example). It is all a matter of their limited storage they have opted. They limited themselves.
The features are similar to what the current built-in MikroTik DNS resolver has, plus it can resolve from root servers.unbound is a recursive resolver. not an authorative dns. It has some limited features in that regard.
+1It seems to me that Mikrotik would be better of stop trying to develop everything in house and use some opensource software like unbound/nsd for common tasks especially if they are licensed under some non prohibitive license like BSD in case of unbound...
I usually do run DNS servers on a dedicated VMs and not on RouterOS, but wouldn't it be simpler for all, both Mikrotik and us users, that instead of wasting decades on trying to make proprietary software for something as common as DNS, and fail, you use something open source that is well maintained and reliable, after all you do use Linux. And maybe you could even give something back to open source community in form of patches if you happen to modify and improve something...container and run whatever you like.
That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
There is a video on the MikroTik YouTube channel: https://www.youtube.com/watch?v=Zrzq_zPWoQ4That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
... as long as someone is there to do the device-mode dance.container and run whatever you like.
So that means /partitions/activate (changing active partition) will after all remain available, and only /partitions/repartition will become locked?!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
*) device-mode - changed "partition" to allow activate and do not allow repartition (introduced in v7.17beta2);
could you please elaborate? i cannot discern any meaning at all from this entry.*) wifi - added extra info to CAPsMAN about message;
[admin@lab2.i.lfns.org.uk] > routing/pimsm/static-rp/add instance=lan-v6 address=2001:8b0:aab5:3::b
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)
[admin@lab2.i.lfns.org.uk] > put [/system/resource/get version]
7.17beta4 (testing)
Thanks MikroTik 🎉*) wifi - improved FT roaming with WPA3 for some Apple devices;
Code: Select all/interface/bridge/mdb/add bridge=bridge group=FF02::2 ports=[/interface/bridge/port/find where bridge=bridge]
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU) (additional fixes);
$ ifconfig en0
en0: flags=…
inet6 fd88::…%en0 prefixlen 64 secured scopeid 0x4
"Downgraded" to 7.16.1 -> disk backUpgraded RB5009, USB disk is gone after reboot.
No way to get it back, no USB reset, nada.
Unplugged USB stick, put it back in, doesn't come up again.
Only some small containers on it which are pretty easy to setup again but just wanted to let it know.
Yes, they are listening! Excellent news indeed. :DSo that means /partitions/activate (changing active partition) will after all remain available, and only /partitions/repartition will become locked?
That is good news!
[admin@lab2.i.lfns.org.uk] > /ipv6/route print where dst-address=64:ff9b::/96
Flags: D - DYNAMIC; A - ACTIVE
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DA 64:ff9b::/96 fe80::400:ff:fe00:509%ether1 115
[admin@lab2.i.lfns.org.uk] > /routing/route/print where dst-address=64:ff9b::/96
Flags: A - ACTIVE; i - ISIS
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
Ai 64:ff9b::/96 fe80::400:ff:fe00:509%ether1 ip6 115 20 10 fe80::400:ff:fe00:509%ether1
*) dhcp-relay - added "local-address-as-src-ip" property;
WHAT THE FUCK?What's new in 7.17beta4 (2024-Oct-18 11:32):
!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
So does routing traffic through my fucking router. We have 2000+ devices and use bandwidth test constantly to debug throughput issues. You don't see Cisco or Arista implement virtual fucking child locks on their routers, they just assume people know what they're doing. MikroTik is trying to be holier than the pope and polish it's turd-like security posture for the rest of the world while screwing over their long-time customers. It's been 3 weeks since the release of v7.17beta2, they've been inundated with replies telling them this needs to be done differently and they ignore all that and introduce this? It's a disgrace.Makes sense. Bandwidth test tools create a bunch of traffic as well.
Yay on the "change active partition" being left alone. This bandwidth-test one I missed.Instead of listening to the critique bandwidth-test is now also disabled?What's new in 7.17beta4 (2024-Oct-18 11:32):
!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
To be fair, I think Mikrotik is listening. The recent change on partitioning shows this. They will probably go on tweaking this, using the beta as a RFC for the settings.I get the need to dial some things down, but for already-deployed devices, there's got to be a compromise. This affects far more devices than the partition issues do (hundreds vs. dozens for me, anyway).
And its arm as well, so zerotier etc should work.That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
Do you have any more information on this?What's new in 7.17beta4 (2024-Oct-18 11:32):
*) log - added hostname support to remote logging action;
Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
viewtopic.php?t=211863Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
Was there an announcement I missed? Where do you see this?
/interface/wifi/export
Seems that you did not read this thread, it was posted just above latest beta4 info where we did get this info :)Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
Was there an announcement I missed? Where do you see this?
Apparently they have gotten a lot of flak for being part of DDoS botnets. And now in panic they try to disable all features that could generate a lot of traffic from the botnet members.To be fair, I think Mikrotik is listening. The recent change on partitioning shows this. They will probably go on tweaking this, using the beta as a RFC for the settings.I get the need to dial some things down, but for already-deployed devices, there's got to be a compromise. This affects far more devices than the partition issues do (hundreds vs. dozens for me, anyway).
Well, it's a hard nut to crack. If the user doesn't update, there isn't much we can do about it NOW, is there? Future versions could come with better defaults, more sensible options.Apparently they have gotten a lot of flak for being part of DDoS botnets. And now in panic they try to disable all features that could generate a lot of traffic from the botnet members.
However, as I wrote before I think it is more effective to improve things that affect the home user who is not upgrading anyway...
As I explained in the previous iterations of this topic: there should be a separate channel for urgent updates that really need to be installed to cover some serious issue. It would best be based on a long-term version that has been in use for some time, with the least required changes to cover the new vulnerability.pe1chl, automatic updates mean for the vendor: more, more and much more testing. You cant push out another "stable release" when there are millions of devices out there potentially to turn into bricks.
Definitely not typo, because I have used GUI, not CLI. But CLI export seems .wnm is not supported somehow. HW hAP ac^2.Can you please share:
Remove any private info.Code: Select all/interface/wifi/export
Update: it works on my machine. Could it be a typo?
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz configuration.country=Czech .mode=ap \
.multicast-enhance=enabled .qos-classifier=priority .ssid=xxx disabled=no mtu=1500 \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no .wps=disable \
steering.neighbor-group=yyy .rrm=yes .wnm=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz \
configuration.country=Czech .mode=ap .multicast-enhance=enabled .qos-classifier=priority .ssid=xxx \
disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes \
.ft-preserve-vlanid=no .wps=disable steering.neighbor-group=yyy .rrm=yes .wnm=yes
And about the “forced” automatic update. IMHO, this is possible only for devices that are configured somehow “step-by-step”, by a wizard, practically without manual involvement of the user.
What's new in 7.17beta4 (2024-Oct-18 11:32):
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
Nobody ever suggested “forced” automatic update.Honestly - do you know many home users who would ever update their router firmware at all? Any manufacturer. I haven't met any.
And about the “forced” automatic update.
What I suggest is "default" automatic update configured in devices as they come from the factory.
I think that about sums it up. We have a never ending number of aphorisms for this kind of thing:Let's imagine a situation: you were brought home by a driver. Everyone got out, and the driver did not close the windows. And everyone went to bed. At night it rained heavily, water got into the car and something in the cabin got spoiled. You come to the car in the morning and notice the breakdown. Instead of scolding the driver, who operated the car incorrectly, you call the manufacturer of the car and start expressing your claims of improper quality.
Once again, I am NOT talking about "force". I am talking about "help".What I suggest is "default" automatic update configured in devices as they come from the factory.
In principle, everything is great: the “new” device should, for example, first be connected by the WAN port to the switch or current router and the firmware should be updated. After that - configure it with the help of some wizard.
But - this does not solve the problem, how to “force” users to update in the future?
Installed 7.17beta4 and again issue with DHCP Relay popup - now even changing it to Bridge or to relevant interface, did not help.Found the issue, I had to change the interfaces for other relays (up/down) - when I had all set to bridge, it stopped working on 7.17 beta.
What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.
I have few devices on 7.17beta and i experience no problems with dhcp server.
2024-10-01 08_15_39-Clipboard.png
I changed it as per relevant interfaces and works again fine.
Re logs, there were no erros just : "dhcp_main offering lease 10.0.0.XX for XX:XX:XX:XX:XX:XX without success"
Dear Guntis, thanks for reply. There is definitely not any restriction, due to the simple fact Superchannel was possible to set on RouterOS 6 on hAP ac^2. I have raised the ticket SUP-169040 for Superchannel issue and SUP-169041 for wnm=yes issue mentioned above too. To complete overall "trinity" of issues, I have raised SUP-169042 for very probably memory leak related to fq-codel and queue implementation in RouterOS 7 branch.igorr29 - regarding Superchannel, it is a country profile that allows wider frequency selection, and must be used with caution to ensure regulatory compliance. What frequency can be selected is a combination of country profile you select and what frequencies the hardware supports, like with any other country profile. In this case, you selected a non-supported range - interfaces point of view. You can find what frequencies interface supports with "/interface/wifi/radio/print detail"
sit75 - what device are you using? Perhaps it is country locked? If it is not country locked device, please create a support ticket.
That sure would have been better...and not only for address lists.Could we get address lists similar to interface lists where you first define a list and then add items to it? The ultimate goal is the ability to nest address lists. This could simplify my configurations immensely.
Depending on what type of router you use
configure partitioning
What didn't work?i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.
/interface/wifi/export
i wouldnt say perfectlyWhat didn't work?i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.
I tend to perform an export when in doubt if settings are correct:
Alternatively you can use a wifi scanner for getting insights wether i.e. WPA3 is available.Code: Select all/interface/wifi/export
Fwiw, WPA3 is working next to WAP2 perfectly.
It's now working (WPA3 that is) but when I tried to add wpa3 via my sec1 config it wasn't applying properly for some reason.What didn't work?i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.
I tend to perform an export when in doubt if settings are correct:
Alternatively you can use a wifi scanner for getting insights wether i.e. WPA3 is available.Code: Select all/interface/wifi/export
Fwiw, WPA3 is working next to WAP2 perfectly.
Hope that helps!Anything can be overridden, could that have been the case? Can you share your config?
# 2024-10-22 11:51:18 by RouterOS 7.17beta4
# software id =
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add admin-mac=18:FD auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax comment=25mw disabled=no frequency=5745 name=155 \
skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=\
10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=\
10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=\
10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=\
10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=\
10min-cac width=20mhz
/interface wifi
set [ find default-name=wifi1 ] channel=42 configuration.country=\
"United Kingdom" .mode=ap .ssid=002 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp \
.management-protection=allowed .wps=disable
add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=\
1A:FD master-interface=wifi1 name=wifi3 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp .wps=\
disable
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp ft=yes \
ft-over-ds=yes management-protection=allowed name=sec1 wps=disable
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-84ef rrm=\
yes wnm=yes
/interface wifi
# operated by CAP 48:A9, traffic processing on CAP
add channel=106 channel.frequency=5500 configuration.country="United Kingdom" \
.mode=ap .ssid=001 disabled=no name=cap-wifi1 radio-mac=\
48:A9 security=sec1 steering=steering1
# operated by CAP 48:A9, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 \
disabled=no name=cap-wifi2 radio-mac=48:A9 security=sec1 \
steering=steering1
set [ find default-name=wifi2 ] channel=11 configuration.country=\
"United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \
steering=steering1
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add kind=fq-codel name=fq_codel
add kind=cake name=cake
/queue simple
add disabled=yes max-limit=250M/25M name=QOS queue=\
pcq-upload-default/pcq-download-default target=ether1
add max-limit=250M/25M name=fq_codel queue=fq_codel/fq_codel target=ether1 \
total-queue=fq_codel
add disabled=yes max-limit=250M/25M name=cake queue=cake/cake target=ether1
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server servers
add mac-address=FE:92 name=ovpn-server1
/interface wifi access-list
add action=reject disabled=no interface=cap-wifi2 mac-address=\
1C:56
add action=reject disabled=no interface=cap-wifi1 mac-address=\
84:2A
add action=reject disabled=no interface=cap-wifi2 mac-address=\
84:2A
add action=reject disabled=no interface=wifi1 mac-address=84:2A
add action=reject disabled=no interface=cap-wifi1 mac-address=\
60:6B
add action=reject disabled=no interface=wifi2 mac-address=60:6B
add action=reject disabled=no interface=cap-wifi2 mac-address=\
6C:A1
add action=reject disabled=no interface=wifi1 mac-address=6C:A1
add action=reject disabled=no interface=wifi2 mac-address=6C:A1
/interface wifi capsman
set enabled=yes
/ip address
add address=192.168.0.254/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.0.135 client-id=1:a0:80 mac-address=\
A0:80 server=defconf
add address=192.168.0.8 client-id=1:dc:a6 mac-address=\
DC:A6 server=defconf
add address=192.168.0.4 client-id=1:84:2a mac-address=\
84:2A server=defconf
add address=192.168.0.104 client-id=\
mac-address=\
DC:A6 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.254 gateway=\
192.168.0.254
/ip dns
set allow-remote-requests=yes cache-size=250000KiB \
doh-max-concurrent-queries=200 doh-max-server-connections=4 doh-timeout=\
6s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 \
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns adlist
add url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pr\
o.txt"
/ip dns static
add address=192.168.0.254 comment=defconf name=router.lan type=A
add address=1.1.1.1 name=cloudflare-dns.com type=A
add address=1.0.0.1 name=cloudflare-dns.com type=A
add address=9.9.9.9 disabled=yes name=dns.quad9.net type=A
add address=149.112.112.112 disabled=yes name=dns.quad9.net type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system leds settings
set all-leds-off=immediate
/system logging
add action=echo disabled=yes topics=dns
/system note
set show-at-login=no
/system package update
set channel=testing
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Remove .encryption=ccmp . It might help.Hope that helps!Anything can be overridden, could that have been the case? Can you share your config?
Code: Select all# 2024-10-22 11:51:18 by RouterOS 7.17beta4 # software id = # # model = C52iG-5HaxD2HaxD # serial number = /interface bridge add admin-mac=18:FD auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wifi channel add band=5ghz-ax comment=25mw disabled=no frequency=5745 name=155 \ skip-dfs-channels=10min-cac width=20/40/80mhz add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=\ 10min-cac width=20/40/80mhz add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=\ 10min-cac width=20/40/80mhz add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=\ 10min-cac width=20mhz add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=\ 10min-cac width=20mhz add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=\ 10min-cac width=20mhz /interface wifi set [ find default-name=wifi1 ] channel=42 configuration.country=\ "United Kingdom" .mode=ap .ssid=002 disabled=no \ security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp \ .management-protection=allowed .wps=disable add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=\ 1A:FD master-interface=wifi1 name=wifi3 \ security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp .wps=\ disable /interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp ft=yes \ ft-over-ds=yes management-protection=allowed name=sec1 wps=disable /interface wifi steering add disabled=no name=steering1 neighbor-group=dynamic-001-84ef rrm=\ yes wnm=yes /interface wifi # operated by CAP 48:A9, traffic processing on CAP add channel=106 channel.frequency=5500 configuration.country="United Kingdom" \ .mode=ap .ssid=001 disabled=no name=cap-wifi1 radio-mac=\ 48:A9 security=sec1 steering=steering1 # operated by CAP 48:A9, traffic processing on CAP add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 \ disabled=no name=cap-wifi2 radio-mac=48:A9 security=sec1 \ steering=steering1 set [ find default-name=wifi2 ] channel=11 configuration.country=\ "United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \ steering=steering1 /ip pool add name=dhcp ranges=192.168.0.100-192.168.0.200 /ip dhcp-server add address-pool=dhcp interface=bridge lease-time=1d name=defconf /ip smb users set [ find default=yes ] disabled=yes /queue type add kind=fq-codel name=fq_codel add kind=cake name=cake /queue simple add disabled=yes max-limit=250M/25M name=QOS queue=\ pcq-upload-default/pcq-download-default target=ether1 add max-limit=250M/25M name=fq_codel queue=fq_codel/fq_codel target=ether1 \ total-queue=fq_codel add disabled=yes max-limit=250M/25M name=cake queue=cake/cake target=ether1 /interface bridge filter add action=drop chain=forward in-interface=wifi3 add action=drop chain=forward out-interface=wifi3 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=wifi1 add bridge=bridge comment=defconf interface=wifi2 add bridge=bridge interface=wifi3 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set disable-ipv6=yes /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server servers add mac-address=FE:92 name=ovpn-server1 /interface wifi access-list add action=reject disabled=no interface=cap-wifi2 mac-address=\ 1C:56 add action=reject disabled=no interface=cap-wifi1 mac-address=\ 84:2A add action=reject disabled=no interface=cap-wifi2 mac-address=\ 84:2A add action=reject disabled=no interface=wifi1 mac-address=84:2A add action=reject disabled=no interface=cap-wifi1 mac-address=\ 60:6B add action=reject disabled=no interface=wifi2 mac-address=60:6B add action=reject disabled=no interface=cap-wifi2 mac-address=\ 6C:A1 add action=reject disabled=no interface=wifi1 mac-address=6C:A1 add action=reject disabled=no interface=wifi2 mac-address=6C:A1 /interface wifi capsman set enabled=yes /ip address add address=192.168.0.254/24 comment=defconf interface=bridge network=\ 192.168.0.0 /ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no /ip dhcp-server lease add address=192.168.0.135 client-id=1:a0:80 mac-address=\ A0:80 server=defconf add address=192.168.0.8 client-id=1:dc:a6 mac-address=\ DC:A6 server=defconf add address=192.168.0.4 client-id=1:84:2a mac-address=\ 84:2A server=defconf add address=192.168.0.104 client-id=\ mac-address=\ DC:A6 server=defconf /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.254 gateway=\ 192.168.0.254 /ip dns set allow-remote-requests=yes cache-size=250000KiB \ doh-max-concurrent-queries=200 doh-max-server-connections=4 doh-timeout=\ 6s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 \ use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes /ip dns adlist add url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pr\ o.txt" /ip dns static add address=192.168.0.254 comment=defconf name=router.lan type=A add address=1.1.1.1 name=cloudflare-dns.com type=A add address=1.0.0.1 name=cloudflare-dns.com type=A add address=9.9.9.9 disabled=yes name=dns.quad9.net type=A add address=149.112.112.112 disabled=yes name=dns.quad9.net type=A /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /system clock set time-zone-name=Europe/London /system leds settings set all-leds-off=immediate /system logging add action=echo disabled=yes topics=dns /system note set show-at-login=no /system package update set channel=testing /tool bandwidth-server set authenticate=no enabled=no /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
Network type : Infrastructure
Radio type : 802.11ax
Authentication : WPA3-Personal (H2E)
Cipher : CCMP
Connection mode : Profile
Band : 5 GHz
Channel : 36
Receive rate (Mbps) : 1201
Transmit rate (Mbps) : 1201
Signal : 88%
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP-40bit
Open WEP-104bit
Open WEP
WPA-Enterprise TKIP
WPA-Enterprise CCMP
WPA-Personal TKIP
WPA-Personal CCMP
WPA2-Enterprise TKIP
WPA2-Enterprise CCMP
WPA2-Personal TKIP
WPA2-Personal CCMP
Open Vendor defined
WPA3-Personal CCMP
Vendor defined Vendor defined
WPA3-Enterprise 192 Bits GCMP-256
OWE CCMP
WPA3-Enterprise CCMP
WPA3-Enterprise TKIP
I'll add it tomorrow for giggles but if I recall way back when both was used some of my gear would not connect!Better try ".encryption=ccmp,gcmp" instead. ccmp is the default value.
No, remove it completely. I have bad experience with explicit verbose encryption type. WPA2 and WPA3 is enough. When there were explicit encryption type, some devices rejected to connect - that is my experience. I would avoid even explicit PMF. Devices can negotiate the best and the most secure protocol anyway.Better try ".encryption=ccmp,gcmp" instead. ccmp is the default value.
Remove .encryption=ccmp . It might help.
Hope that helps!
Code: Select all# 2024-10-22 11:51:18 by RouterOS 7.17beta4 # software id = # # model = C52iG-5HaxD2HaxD # serial number = /interface bridge add admin-mac=18:FD auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wifi channel add band=5ghz-ax comment=25mw disabled=no frequency=5745 name=155 \ skip-dfs-channels=10min-cac width=20/40/80mhz add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=\ 10min-cac width=20/40/80mhz add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=\ 10min-cac width=20/40/80mhz add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=\ 10min-cac width=20mhz add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=\ 10min-cac width=20mhz add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=\ 10min-cac width=20mhz /interface wifi set [ find default-name=wifi1 ] channel=42 configuration.country=\ "United Kingdom" .mode=ap .ssid=002 disabled=no \ security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp \ .management-protection=allowed .wps=disable add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=\ 1A:FD master-interface=wifi1 name=wifi3 \ security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp .wps=\ disable /interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp ft=yes \ ft-over-ds=yes management-protection=allowed name=sec1 wps=disable /interface wifi steering add disabled=no name=steering1 neighbor-group=dynamic-001-84ef rrm=\ yes wnm=yes /interface wifi # operated by CAP 48:A9, traffic processing on CAP add channel=106 channel.frequency=5500 configuration.country="United Kingdom" \ .mode=ap .ssid=001 disabled=no name=cap-wifi1 radio-mac=\ 48:A9 security=sec1 steering=steering1 # operated by CAP 48:A9, traffic processing on CAP add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 \ disabled=no name=cap-wifi2 radio-mac=48:A9 security=sec1 \ steering=steering1 set [ find default-name=wifi2 ] channel=11 configuration.country=\ "United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \ steering=steering1 /ip pool add name=dhcp ranges=192.168.0.100-192.168.0.200 /ip dhcp-server add address-pool=dhcp interface=bridge lease-time=1d name=defconf /ip smb users set [ find default=yes ] disabled=yes /queue type add kind=fq-codel name=fq_codel add kind=cake name=cake /queue simple add disabled=yes max-limit=250M/25M name=QOS queue=\ pcq-upload-default/pcq-download-default target=ether1 add max-limit=250M/25M name=fq_codel queue=fq_codel/fq_codel target=ether1 \ total-queue=fq_codel add disabled=yes max-limit=250M/25M name=cake queue=cake/cake target=ether1 /interface bridge filter add action=drop chain=forward in-interface=wifi3 add action=drop chain=forward out-interface=wifi3 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=wifi1 add bridge=bridge comment=defconf interface=wifi2 add bridge=bridge interface=wifi3 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set disable-ipv6=yes /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server servers add mac-address=FE:92 name=ovpn-server1 /interface wifi access-list add action=reject disabled=no interface=cap-wifi2 mac-address=\ 1C:56 add action=reject disabled=no interface=cap-wifi1 mac-address=\ 84:2A add action=reject disabled=no interface=cap-wifi2 mac-address=\ 84:2A add action=reject disabled=no interface=wifi1 mac-address=84:2A add action=reject disabled=no interface=cap-wifi1 mac-address=\ 60:6B add action=reject disabled=no interface=wifi2 mac-address=60:6B add action=reject disabled=no interface=cap-wifi2 mac-address=\ 6C:A1 add action=reject disabled=no interface=wifi1 mac-address=6C:A1 add action=reject disabled=no interface=wifi2 mac-address=6C:A1 /interface wifi capsman set enabled=yes /ip address add address=192.168.0.254/24 comment=defconf interface=bridge network=\ 192.168.0.0 /ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no /ip dhcp-server lease add address=192.168.0.135 client-id=1:a0:80 mac-address=\ A0:80 server=defconf add address=192.168.0.8 client-id=1:dc:a6 mac-address=\ DC:A6 server=defconf add address=192.168.0.4 client-id=1:84:2a mac-address=\ 84:2A server=defconf add address=192.168.0.104 client-id=\ mac-address=\ DC:A6 server=defconf /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.254 gateway=\ 192.168.0.254 /ip dns set allow-remote-requests=yes cache-size=250000KiB \ doh-max-concurrent-queries=200 doh-max-server-connections=4 doh-timeout=\ 6s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 \ use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes /ip dns adlist add url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pr\ o.txt" /ip dns static add address=192.168.0.254 comment=defconf name=router.lan type=A add address=1.1.1.1 name=cloudflare-dns.com type=A add address=1.0.0.1 name=cloudflare-dns.com type=A add address=9.9.9.9 disabled=yes name=dns.quad9.net type=A add address=149.112.112.112 disabled=yes name=dns.quad9.net type=A /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /system clock set time-zone-name=Europe/London /system leds settings set all-leds-off=immediate /system logging add action=echo disabled=yes topics=dns /system note set show-at-login=no /system package update set channel=testing /tool bandwidth-server set authenticate=no enabled=no /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
Client can only use what AP promotes to support. So that's the base for negotiation. And if you disable WPA3-SAE on the AP, the client won't be able to "negotiate the most secure protocol anyway".No, remove it completely. I have bad experience with explicit verbose encryption type. WPA2 and WPA3 is enough. When there were explicit encryption type, some devices rejected to connect - that is my experience. I would avoid even explicit PMF. Devices can negotiate the best and the most secure protocol anyway.Better try ".encryption=ccmp,gcmp" instead. ccmp is the default value.
It seems that there is difference between security. And SSID (on purpose?). I would always make one item (per SSID) in /interface/wifi/security and use that on all interfaces. Because when specifying security items on /interface/wifi explicitely, it will override the selected security item.Hope that helps!
When you are using winbox, that is a disaster waiting to happen!!!It seems that there is difference between security. And SSID (on purpose?). I would always make one item (per SSID) in /interface/wifi/security and use that on all interfaces. Because when specifying security items on /interface/wifi explicitely, it will override the selected security item.
Some day I am going to file a feature request at Mikrotik support: "highlight overriden config values in export in different color". Or as a dedicated option in "print detail" or something. I've seen so many exports and always there are redundancies that make it hard a) to read and b) to follow.t will override the selected security item.
Inherited values should show in "greyed out" style until you change and save them, and should not be saved back into the config when they aren't changed.Some day I am going to file a feature request at Mikrotik support: "highlight overriden config values in export in different color". Or as a dedicated option in "print detail" or something. I've seen so many exports and always there are redundancies that make it hard a) to read and b) to follow.t will override the selected security item.
Lets go back to the start, but first context!It seems that there is difference between security. And SSID (on purpose?). I would always make one item (per SSID) in /interface/wifi/security and use that on all interfaces. Because when specifying security items on /interface/wifi explicitely, it will override the selected security item.Hope that helps!
Can you elaborate how you want things to work?
Can't help you with that. Still, from a conceptual perspective I would use a /interface/wifi/security item per ssid. Personal preference...Does it all work now, yes all good, I was just trying to reason why!
I used to do that but when you have to change everything 3 times and NOT make a mistake in the middle of it all, to me my way makes more sense to me. I guess we will have to beg-to-differ!Can't help you with that. Still, from a conceptual perspective I would use a /interface/wifi/security item per ssid. Personal preference...Does it all work now, yes all good, I was just trying to reason why!
But in the end...good to hear it works already.
I described the probably reason for that a couple of posts above. It is an error in winbox.So I wanted to add WPA3 to SSID 01 for testing. I tried to apply WPA3 via sec1 to it but for some reason it wouldn't apply the setting, i tried several times and restarted the router a few times as well. In the end the only way the WPA3 setting would apply was by doing it via each wifi interface manually.
Well at least 2 of us are on the same page, thats why i posted 'cus it didn't make any sense.I described the probably reason for that a couple of posts above. It is an error in winbox.So I wanted to add WPA3 to SSID 01 for testing. I tried to apply WPA3 via sec1 to it but for some reason it wouldn't apply the setting, i tried several times and restarted the router a few times as well. In the end the only way the WPA3 setting would apply was by doing it via each wifi interface manually.
Were you able to get the FT/Steering to work with WPA3?I have 3 SSID'S across 2 devices with a hAP ax2 as controller and cAP ax as AP. SSID 01 runs 2.4G+5G on the cAP and 2.4G on the hAP which is my main wifi network which has FT/Steering with security being supplied by by sec1. Then I have SSID 02 5G which is my Living room wifi with FT disabled and SSID 03 (Radio) which is guest wifi 5G, both of these have the security set manually.
So I wanted to add WPA3 to SSID 01 for testing.
Does it all work now, yes all good, I was just trying to reason why!
just a quick reply, I can't give you a proper answer at this point because i have been messing with other settings as well. But I will get back to you in the next few days.Were you able to get the FT/Steering to work with WPA3?I have 3 SSID'S across 2 devices with a hAP ax2 as controller and cAP ax as AP. SSID 01 runs 2.4G+5G on the cAP and 2.4G on the hAP which is my main wifi network which has FT/Steering with security being supplied by by sec1. Then I have SSID 02 5G which is my Living room wifi with FT disabled and SSID 03 (Radio) which is guest wifi 5G, both of these have the security set manually.
So I wanted to add WPA3 to SSID 01 for testing.
Does it all work now, yes all good, I was just trying to reason why!
Some devices do not roam when WPA3 is enabled, while others (iPhone for example) only work well but only with beta4.
Out of curiosity what winbox you using?Lets go back to the start, but first context!
It seems that there is difference between security. And SSID (on purpose?). I would always make one item (per SSID) in /interface/wifi/security and use that on all interfaces. Because when specifying security items on /interface/wifi explicitely, it will override the selected security item.
Can you elaborate how you want things to work?
I have 3 SSID'S across 2 devices with a hAP ax2 as controller and cAP ax as AP. SSID 01 runs 2.4G+5G on the cAP and 2.4G on the hAP which is my main wifi network which has FT/Steering with security being supplied by by sec1. Then I have SSID 02 5G which is my Living room wifi with FT disabled and SSID 03 (Radio) which is guest wifi 5G, both of these have the security set manually.
So I wanted to add WPA3 to SSID 01 for testing. I tried to apply WPA3 via sec1 to it but for some reason it wouldn't apply the setting, i tried several times and restarted the router a few times as well. In the end the only way the WPA3 setting would apply was by doing it via each wifi interface manually.
Does it all work now, yes all good, I was just trying to reason why!
This is still an issue with RouterOS 7.17beta4. Just opened support ticket SUP-169652.Hmm, looks like the SFTP client is broken... The backup script on my lab device failed. All other devices running 7.16 did succeed, so I am sure the server is ok.
SFTP works fine on my router with 7.17beta2This is still an issue with RouterOS 7.17beta4. Just opened support ticket SUP-169652.Hmm, looks like the SFTP client is broken... The backup script on my lab device failed. All other devices running 7.16 did succeed, so I am sure the server is ok.
The support reproduced this, a fix is pending.This is still an issue with RouterOS 7.17beta4. Just opened support ticket SUP-169652.Hmm, looks like the SFTP client is broken... The backup script on my lab device failed. All other devices running 7.16 did succeed, so I am sure the server is ok.
Where to find it on the docs?7.17beta5 😀
an that is bad?? your eagerness to criticize sometimes gets out of hand, i think is a good thing that documentation improves on following or even anticipate changes and new features, its not perfect, but,https://help.mikrotik.com/docs already has references to 7.17beta5, but only beta4 is available in testing chain.
1- Those complainer that only complain and do not know how to differ a testing chain from a stable chain are a pain in the a**.
2- Mikrotik Guys are becoming afraid of the critics of those complainers and it make the process Weak.
It's bad to the extent that all that complaining about changes in device-mode made Mikrotik Guys go back to hiding progress, and stop releasing testing with every possible release.an that is bad??
https://help.mikrotik.com/docs/pages/di ... ersions=29Where to find it on the docs?7.17beta5 😀
that's the nature of this community i learnt over the years now. sad.But putting myself in their shoes, if every time they release a change a horde of zombies appears shouting (even though it's in testing), it's only natural that they start hiding their actions more.an that is bad??
...any chances? :|
so, could
...mean a pathway to use MACsec with hardware offload in the near future? (yeah i know, MACsec and TLS connection does not go along in the same sentence - but the option to use hw-offload for GCM ciphers ... just curious...)Code: Select all*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
Like my tik trainer said, "don't listen to the forums" ^^that's the nature of this community i learnt over the years now. sad.
But putting myself in their shoes, if every time they release a change a horde of zombies appears shouting (even though it's in testing), it's only natural that they start hiding their actions more.
Every company on the planet that releases alphas and betas is doing so for user feedback. With MikroTik, unless you're a large buyer (i.e. distributor or VAR) or have some other means of influence, the forums and support tickets are the only way to get their attention.
It's bad to the extent that all that complaining about changes in device-mode made Mikrotik Guys go back to hiding progress, and stop releasing testing with every possible release.
I completely agree on that part.But it's sad it took so much "yelling" (as it were) to get it considered
That's great that they listen to the ISPs. I heard that also on the "End-User" end they changed.from many of the ISPs who buy
That's quite disappointing to hear.In all the years I've gone to ISP-related shows, I've yet to see MikroTik show up in any kind of official capacity
beta4 is so stable?
Read: we are making it less stable :)Do not worry, we are working on a new beta releases, ...
I agree and I'm ready to test and happy to give feedback on MPLS HW Offloading and Multiple VRF tables L3HW Offloading not only main table. (only reason I cant use L3HW Offloading)Nothing to resist. That is the whole point of beta releases. Bunch of new stuff to test which can break something else. Otherwise, we would not release them at all like in the past and just prepare stable rc. Again - betas are released to test specific fixes, not the general system stability.
What about Hardware offload of L3VPN MPLS?
Or even Hardware offload of a quite simple thing like VRFs?
Let's talk about hardware offload?
Not just kernel bypass (fast-path) but hardware offload itself...
Let's talk about the issues the comes with the actual methodology of hardware offload.
For example, if the packets are in hardware offload, no IPFIX/Netflow, and no firewall rules(even raw) are possible.
A recurrent complain is that RouterOS is becoming more Enterprise then Telco.
Is kind of true. But it is unavoidable...
What is avoidable is that those extra features interferes on progress of the core of the solution...
Have you (Mikrotik Guys) considered to put all those extra resources in Extra packages? Containers?
And what about doing all the process of control-plane being on containers?
Similar to what junos Evo and IOS-XR is doing?
It would allow better control of resources, priority, reservation.
Well... Something I said hurt somebody.
Some(maybe several) of my replies were deleted.
Attitude of incompetent and cowardly people!
I do not remember exactly what I said.
But it were related to the fact Mikrotik Guys need to split the support of hardware offload support on their development.
The limitations faced today are imposed by old models of switchchip(Atheros and Mediatek).
Marvel Prestera and Marvel Link street(Maybe eve sobre of RTL chips) certainly do support more than what is being used by Mikrotik now days!
Certainly multi VRF, L3VPN(PE), VXLAN, stateless firewall, and even a bit of Stateful firewall.
And I'm not just talking about CCR2216 here...
CRS 317/326, even 305, could be used to do PE of underlayed/overlayed networks.
To be clear, this is the difference between corporative networks to Telco Networks.
I'm talking about changing to nftables and support eBPF/XDP.
And it will probably not be supported by the old devices.
To workaround that, Mikrotik guys will need to split the development for old pieces from development for new hardware.,
I disagree, sure they need to work to resolve some key issues that affecting big portion of people but I wouldn't go as far as to say it looks bleak...The future with MT is bleak anything with Service Provider solution my company accept that facts now, we are now going back to Juniper as much as possible and put mikrotik on some areas as we see it fit or put them in the shelves for eternity who knows one of these days they are going to land some code and harness the full potential of the hardware
I agree, for x86 solution some of my partner prefer using vyos.The future with MT is bleak anything with Service Provider solution my company accept that facts now, we are now going back to Juniper as much as possible and put mikrotik on some areas as we see it fit or put them in the shelves for eternity who knows one of these days they are going to land some code and harness the full potential of the hardware
I understand and respect your point of view and I can only hope that things improve before my point of view follows same as yours.Yep you can disagree with me anytime but it's happening, we can no longer wait for mikrotik to mature its routing and switching portfolio our company is now restructuring the team willing to let go some MT engineer not willing to be re-assigned or adapt other platform, MT not wanting to spend development on SP space cause havoc and push us to the other direction.
We learned the hard lesson and I think there's no turning back
We are also in the same position as you. Looking to completely move away. Even with the other hardware vendor options being more expensive; long term will be less expensive....Yep you can disagree with me anytime but it's happening, we can no longer wait for mikrotik to mature its routing and switching portfolio our company is now restructuring the team willing to let go some MT engineer not willing to be re-assigned or adapt other platform, MT not wanting to spend development on SP space cause havoc and push us to the other direction.
We learned the hard lesson and I think there's no turning back
The webfig "status page" was the only way to create some customer-friendly dashboard. I use these status pages (and custom "QuickSet-safe" defconf) to enable deployment by less-sophisticated installers/customers. So I'm not sure why remove stuff that was actually working. While the whole "status page" system could be improved – it was the only way I've found to present some simple "dashboard" to see if the routers was working, without having to navigate a half-dozen RouterOS menus to find out same info....*) webfig - status page is deprecated, old status page config will work, but can't be updated or created;
ROS supports two different "methodologies" of hardware offload. if you use basic L3HW, you cannot offload iptables rules, but you can do filtering in the switch chip, which is largely equivalent to raw rules.Let's talk about the issues the comes with the actual methodology of hardware offload.
For example, if the packets are in hardware offload, no IPFIX/Netflow, and no firewall rules(even raw) are possible.
If you read this forum then you will notice statements that more than one developer is working on ROS. Adding NAS features does not mean that work on HW acceleration is stopped.But how should i sell my colleagues and boss a Solution which is completely randomly deciding to focus on NAS Features when things like HW-accel or proper HA are nothing near ready?
You are right. I just felt there was kind of a trend going on the last couple releases. But maybe i'm wrong. :)If you read this forum then you will notice statements that more than one developer is working on ROS. Adding NAS features does not mean that work on HW acceleration is stopped.But how should i sell my colleagues and boss a Solution which is completely randomly deciding to focus on NAS Features when things like HW-accel or proper HA are nothing near ready?
Just look at the changelog of each release and see how many things are being worked on at a time.
LOL. It's writing the UTF-8 unicode for • (a bullet, option+8 on Mac)3) From the GUI, if you go into a wifi interface that is set up as PSK, and simply click "Apply", the passphrase will be corrupted and you'll have to go back and retype it.
Under the hood it sets the passphrase to \E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2 no matter what it was prior.
which requires `ssh`, since Winbox4 Terminal will NOT render the UTF-8, which was a previously complaint pages ago here...:put "\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2"
••••••••
I thought it had something to do with the new UTF-8 support... thank you for clarifying that. I don't think WIFI passwords even support UTF-8, so we might want to nix that.LOL. It's writing the UTF-8 unicode for • (a bullet, option+8 on Mac)3) From the GUI, if you go into a wifi interface that is set up as PSK, and simply click "Apply", the passphrase will be corrupted and you'll have to go back and retype it.
Under the hood it sets the passphrase to \E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2 no matter what it was prior.:put "\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2"
••••••••
what ros where you trying to downgrade to??Also, downgrading was a bit of a surprise. It would let me click "Downgrade" but nothing would happen and it would delete my downgrade files in the Files folder.
The logs showed that downgrading was not enabled. If it's not enabled, it should probably tell me so I can correct it BEFORE it fails to downgrade.
Also, having to press the button to disable downgrading.... I get it for security reasons, but I think the beta channel should, by default, allow downgrading when moving to this new version. Where the stable channel would not.
This is what the log said after the router rebooted for a downgrade:
downgrade.png
Maye be a Winbox 4 bug and not related to this specific ROS version. But as I always said for years: I don't trust Winbox.3) From the GUI, if you go into a wifi interface that is set up as PSK, and simply click "Apply", the passphrase will be corrupted and you'll have to go back and retype it.
Under the hood it sets the passphrase to \E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2 no matter what it was prior.
This issue has an easy workaround, don't save anything from the GUI.
OK!Please keep topic to release notes! You are free to make a new topic and continue offtopic in there, but this topic must not be messed up by other discussions except changes in the version.
It helps to show a couple of example log lines. There are some different reasons why these appear.Due to the number of fixes I updated from latest release 16.x to 17beta4. I am now seeing a lot (like thousands) of 'invalid' dropped packets on the firewall.
Here are some examples though I can see these are in error.It helps to show a couple of example log lines. There are some different reasons why these appear.Due to the number of fixes I updated from latest release 16.x to 17beta4. I am now seeing a lot (like thousands) of 'invalid' dropped packets on the firewall.
2024-11-04 13:10:22 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK), 192.168.30.60:45009->207.243.203.2:10006, len 168
2024-11-04 13:10:23 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK), 192.168.30.60:45997->73.203.163.244:5000, len 168
2024-11-04 13:10:23 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK,FIN,PSH), 192.168.30.60:36529->75.109.55.175:6681, len 148
2024-11-04 13:10:27 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK), 192.168.30.60:53731->74.87.73.194:4401, len 180
2024-11-04 13:10:28 firewall,info **Fwd:ERR:TCP forward: in:BR24-wifi-d out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 08:12:a5:63:e0:3d, proto TCP (ACK,FIN,PSH), 192.168.36.70:57720->18.165.232.238:443, len 76
2024-11-04 13:10:32 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK), 192.168.30.60:43165->70.185.23.111:7001, len 168
2024-11-04 13:10:32 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK), 192.168.30.60:57031->97.71.152.205:6881, len 168
2024-11-04 13:10:52 firewall,info **Fwd:ERR:TCP forward: in:BR11-lan out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 24:5e:be:67:c8:5f, proto TCP (ACK,FIN,PSH), 192.168.30.60:34187->216.16.76.241:3540, len 225
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49132->104.16.8.45:443, len 608
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49148->104.16.8.45:443, len 608
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49132->104.16.8.45:443, len 76
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49148->104.16.8.45:443, len 76
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49132->104.16.8.45:443, len 76
2024-11-04 13:11:13 firewall,info **Fwd:ERR:TCP forward: in:BR22-wifi-p out:isp<->VLAN666<->f/w, connection-state:invalid src-mac 80:39:8c:a9:3e:94, proto TCP (ACK,PSH), 192.168.32.19:49148->104.16.8.45:443, len 76
This was the www interface.Maye be a Winbox 4 bug and not related to this specific ROS version. But as I always said for years: I don't trust Winbox.3) From the GUI, if you go into a wifi interface that is set up as PSK, and simply click "Apply", the passphrase will be corrupted and you'll have to go back and retype it.
Under the hood it sets the passphrase to \E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2\E2\80\A2 no matter what it was prior.
This issue has an easy workaround, don't save anything from the GUI.
I had same problems as you, disabling WPA3 solved the problem. WiFi is now really rock solid. I hope Mikrotik solve this in the future.
"end user devices do not need btest!"
ok, well, you have already said that all 'already enabled features' will be preserved on upgrade. So you have already built a bypass for /most/ of these dangerous features that these theoretical** hackers could exploit, they just have to turn on these desired nefarious features before carrying out the upgrade. Just not one that allows us to preserve btest client on devices already in the field, something we want available on every device we have deployed (in our case, mostly RB4011, RB5009, CCR*)."What if hackers (that we have no evidence actually exist) exploit any bypass to enable nefarious features before you upgrade to 7.17? what then?!!??!"
Btest-Server being off by default (service, on port2000) is good practice, and long overdueAlso, if the btest function can be used to just packet random IPs (why else would it need restricting?) instead of just talking to btest servers, maybe /that/ is actually what needs fixing?
Disabling WPA3 also improved my AX experience hugely! (HAP AX3)I had same problems as you, disabling WPA3 solved the problem. WiFi is now really rock solid. I hope Mikrotik solve this in the future.
You are not alone:I updated my hw to use wpa3 and now should I disable it?
Probably a mistake that I updated again to hw mikrotik. . . .
It is no doubt a difficult problem, but there is a serious issue with MT wireless when a $100 router/AP combo from any store can outperform their enterprise wireless solution in compatibility with clients, range, and throughout.Incompatibilities between WiFi access points and clients are something that every manufacturer is fighting with...
The users ask for new features, better performance, more security, etc etc but expect that all their equipment, no matter if it is a brand new smartphone or a simple IoT device with an ESP8266 WiFi chip, to work at high speed, roam perfectly, prefer 5 or 6 GHz, etc.
It sometimes looks like a whack-a-mole game where each change improves something that was requested or reported, but breaks the connection to some different class of device.
I do not envy the developers that have to create updates and can maybe test them with 10 or 20 test devices that they have in their office, then get a load of complaints when they release it...
Pretty sure the BTest Server isn't enabled by default in the stock mikrotik configuration. I don't know that it ever has been?Btest-Server being off by default (service, on port2000) is good practice, and long overdue
Yeah I don't think that a fraction as many providers are going to miss traffic generator, however I'd still argue that these restrictions should be opt-in for existing devices in the field.Traffic-Generator, in the other hand, is a RAW packet synthesizer
it will spew whatever you tell it to, towards any programmed destination, indiscriminately, at wire-speed
intel card bearing laptops
I beg to differ:but not with other brand wireless solutions
Yes, that´s true we have seen lot´s of improvements, except WPA3 is still unusable with many very common chipsets. There is a list we have created in the thread from my previous post and many users created tickets about this issue.Besides lots of improvements (though not working for you), MikroTik is constantly requesting their users to provide information.
But this is for the stable releases only (as of writing 7.16.1), no? The behavior changes exactly with the 7.17 series - currently in beta. Don't get me wrong: I think Mikrotik is shooting itself on both feet, with this planned change of units already on the field.Just unpacked a new wAP AX.
according to help pages routerboard settings should be DISABLED by default when selecting mode=advanced.
Not so.
This is plain crazy ...