v7.20beta [testing] is released!

Wed May 28, 2025 12:48 pm

RouterOS version 7.20beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.20beta2 (2025-May-27 13:33):

*) arm - improved system stability when processing encrypted traffic;
*) arm64 - increased maximum number of CPU cores to 128;
*) bgp - added brief, unnumbered output for advertisements list;
*) bgp - added initial EVPN support;
*) bgp - added NLRI filter for more precise accept/discard of ipv4/6 prefixes;
*) bgp - decode and log notifications;
*) bgp - introduced BGP instance configuration (note, downgrading to earlier versions without instance support may cause config issues);
*) bgp - print aigp attribute in advertisements;
*) bridge - added dynamic tagged entry named “switch-cpu” in scenarios where the same VLAN spans multiple switch chips or is used on both HW and SW ports;
*) bridge - added verbose STP debug logging (rx/tx BPDU, edge-port and port-role transitions, FDB flush);
*) bridge - disable/enable HW offload on bonding slave disable/enable (fixes potential MAC learning issue);
*) bridge - fixed port-id when adding a new port in non-primary MLAG;
*) bridge - refactored host learning logic in MLAG setups in order to make it more robust and predictable;
*) bth - added extra file-share functionality for use with apps;
*) bth - improved tunnel name in client config export;
*) bth,file - added direct file sharing from the WinBox Files menu;
*) certificate - improved stability after failed import;
*) chr - added Chelsio VF driver for PCIID 5803;
*) cloud - fixed restoring "BTH Files" service after a prolonged network outage;
*) cloud - reduced “BTH Files” ping interval dynamically upon failure;
*) console - added non-interactive (scriptable) serial-terminal support;
*) console - added use-tz option to :timestamp command;
*) console - fixed :convert to=num on MIPSBE;
*) console - improved stability and visuals for /interface/wireless/snooper/snoop;
*) console - improved visuals for brief print when displaying large tables;
*) console - improved visuals for hiding sensitive commands;
*) console - include flags by default when printing to value;
*) console - prioritize directory specific parameters and hide rarely used ones in print autocomplete;
*) console - replace TAB characters with spaces when editing scripts and added tab-width user configuration in /console/settings;
*) console - unified string representation of ID values;
*) console - updated hints for some /file/print parameters;
*) console - validate filenames upon addition (if enabled in /console/settings);
*) container - added "device" option to pass a device from /system/hardware menu to a container;
*) container - added /container/log menu, keep 100 messages per container;
*) container - added default print brief mode;
*) container - added initial support for container in container setups;
*) container - added option to execute commands inside a container using "/container/shell cmd= user=";
*) container - added per-container memory limiting and monitoring;
*) container - added SCTP support;
*) container - added support for cpuset, cpu, memory, pids cgroups;
*) container - allow picking passthrough devices by descriptive name;
*) container - allow read-only mounts;
*) container - allow to mount individual files, not just directories;
*) container - allow to specify multiple envlists;
*) container - allow to use multiple veths in a container, change the in container interface name to same as in RouterOS;
*) container - display any error prominently in WinBox;
*) container - do not allow multiple containers with same root directory;
*) container - enable check-certificate by default for new remote imports;
*) container - fixed containers that use inotify interface;
*) container - fixed environment variables not being passed to "/container/shell" properly;
*) container - improved compatibility when running containers with custom "cmd" and "entrypoint" commands;
*) container - improved error and log messages;
*) container - prevent user from setting "root-dir=/" for a container;
*) container - show a more descriptive error when tar extraction fails, particularly "No space left on device";
*) container - show config.json to user;
*) container - show explicit stopped flag for container;
*) container - stability improvements;
*) container - support for direct access to hardware devices;
*) container - terminate containers on shutdown, allow them to clean up properly;
*) dhcp - show error only after interface status is synced with the system (instead of erroneously displaying it immediately);
*) dhcp-client - always set the broadcast flag for DHCP Discover packets, except when renewing the lease;
*) dhcp-server - do not show "I" flag when server is disabled;
*) dhcpv4-client - allow specifying vlan-priority of outgoing packets (for VLAN interfaces only);
*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;
*) dhcpv4-server - added "ntp-none" parameter;
*) dhcpv4-server - changed the default value of address-pool to "static-only" in the option matcher, removed "none" option;
*) dhcpv4/v6-client - properly resume client service after underlying interface status changes;
*) dhcpv4/v6-server - added CoA support;
*) dhcpv6-client - added "accept-prefix-without-address" allowing client to accept prefix when address is not available although requested;
*) dhcpv6-client - update the routing table and address list on manual client configuration changes;
*) dhcpv6-server - added "ignore-ia-na-bindings" setting that allows server to ignore address requests and work just with prefixes;
*) dhcpv6-server - do not trim real client DUID when assigning it to the binding;
*) discovery - disable discovery on loopback, LTE, ppp-out interfaces;
*) disk - allow to format multiple disks at once;
*) disk - allow to remove Btrfs device by ID;
*) disk - better manage disks disappearing from RAID;
*) disk - cleanup mountpoint when setting mount-filesystem=no;
*) disk - do Btrfs remove-device asynchronously;
*) disk - fixed RAID component size to match the value in the superblock;
*) disk - offer to blink only PCI slots in console;
*) disk - rename raid-role=unspecified to spare;
*) disk - reset RAID role of old disk after spare assumes a new role;
*) disk - show total/free inode counts for fs's that support it;
*) dlna - recognize flac extension;
*) fetch - display file sizes between 1–1023 bytes as 1KiB (instead of 0KiB);
*) fetch - include RouterOS version in the "User-Agent" field;
*) file - improved file handling performance in WinBox v4;
*) firewall - added connection tracking "total-ip4-entries" and "total-ip6-entries" counters;
*) firewall - allow "dst-limit" matcher to work properly above value 10000;
*) firewall - improved IPv6 connection tracking lookup responsiveness;
*) firewall - improved system stability when processing connections on multicore systems;
*) firewall - reorganized firewall connection tracking table values and make them persistent between IPv4 and IPv6;
*) flashfig - bind to local address (fixes issue when multiple interfaces are enabled);
*) hotspot - allow only "http" and "https" schemas in dst field;
*) iot - added an option to increase the amount of LoRa's traffic entries displayed;
*) iot - adjusted default LoRa antenna gain values for specific devices;
*) iot - iot-bt-extra package stability improvement and additional dongle support;
*) iot - LoRa stability improvements;
*) iot - LR8G/9G firmware update;
*) iot - removed lora-package, LoRa functionality was moved into iot-package;
*) iot - removed non-existent GPIO pin functionality;
*) ip - added socksify feature and new NAT action "socksify";
*) ipsec - fixed degraded IPsec performance for IPQ-6010 (introduced in v7.17);
*) ipv6 - added support for IPv6 ND proxying of individual addresses;
*) ipv6 - do not allow removal of dynamic address on lo interface;
*) ipv6 - make pref-src work and settable for static routes;
*) log - added command to clear memory action entries;
*) log - improved the "transmit loop detected" warning log;
*) log - output PoE-Out LLDP negotiation to poe,info topic;
*) lte - added "done" status for modem firmware-upgrade version check;
*) lte - added log entry if eSIM has no profiles on read;
*) lte - allow only one IPv6 APN for AT modems;
*) lte - display ICCID regardless of SIM PIN entry status;
*) lte - fixed modem recovery for unexpected modem reboot for Chateau 5G and Chateau 5G R16;
*) lte - fixed rare case where AT dialer could stop;
*) lte - refresh eSIM profile list after successful provision;
*) lte - renamed "uicc" to "iccid" in LTE monitor and eSIM profile print;
*) lte - show ip-type in /interface/lte/apn/print;
*) lte - use modem-supplied IPv6 address over EUI-64 when available;
*) net - fixed possible slave flag issues after user configuration changes;
*) net - improved system stability when processing TCP/UDP connections;
*) net - prevent removal of lo interface via WinBox;
*) netinstall - added after-install controls (reboot after installation, shutdown after installation, none);
*) netinstall - alert on unreadable configuration scripts;
*) netinstall - detect inactive install interface;
*) netinstall - fixed install for PPC devices;
*) netinstall - fixed mutually exclusive checkbox behavior;
*) netinstall - show router and package architecture;
*) netinstall - warn user if not enough space on device;
*) netinstall-cli - added MAC filter option "--mac";
*) netinstall-cli - added multiple install option "-m";
*) netwatch - fixed date and time for stats;
*) ovpn - added support for sha384 hmac;
*) ovpn - improved tunnel setup speeds in configurations with large ammount of active OVPN clients;
*) partitions - fixed failure to repartition correctly from 32MB partition size;
*) partitions - hide partition menu on unsupported boards (without NAND);
*) partitions - limit minimal partition size to 60MB;
*) poe-out - upgraded firmware for 802.3at/bt controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - added IPv6 support for "remote-access" tool;
*) ppp - added DHCPv6 assigned prefix to address list when configured and received from RADIUS;
*) ppp - added dhcpv6-lease-time profile configuration property;
*) ppp - do not send initial echo request if keepalive-timeout=disabled;
*) ppp - improved system stability when closing connections;
*) pppoe-server - added accept-untagged=yes/no option to accept untagged traffic in combination with pppoe-over-vlan-rage property;
*) ptp - added PTP support for RDS2216 device;
*) qos-hw - added mirror-buffers property and monitoring values;
*) radius - fixed issue with Session-Timeout attribute functionality;
*) route - added missing and remove unnecessary parameters from /ipv6/route menu;
*) route - afi naming consistency in logs;
*) route - attempt to clean up stuck routes in the routing table;
*) route - do not allow to modify dynamic routes;
*) route - make routing table print faster with hw-offload, gateway and blackhole queries;
*) routerboot - fixed boot MAC for CRS212 switch ("/system routerboard upgrade" required);
*) routing-filter - added filter-wizard (filter generator with v6-like syntax);
*) routing-filter - make "chain" and "list" parameters required when adding new item;
*) sfp - added sfp-power-class and sfp-max-power monitor values for QSFP;
*) sfp - fixed qsfp28 breakout disable;
*) sfp - improved initialization and linking for sfp28 on CRS518;
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) smips - reduced package size and removed hotspot capabilities;
*) sniffer - added CPU number and fast-path status in per-packet comment;
*) sniffer - save packets in pcapng format, it now includes interface name the packet was sniffed on, packet direction and nanosecond timestamp resolution;
*) snmp - added SNMP OIDs for firewall connection tracking "total-entries", "total-ip4-entries" and "total-ip6-entries";
*) ssh - improved stability on busy server;
*) ssh/sftp - fixed session disconnects during file transfer;
*) supout - added certificate settings section;
*) switch - fixed ACL rules when ports are not specified (fixes dynamic rules for RoMON);
*) switch - fixed port blocking by MSTP for 88E6393X, 88E6191X and 88E6190 switches;
*) switch - hide cpu-flow-control on irrelevant devices;
*) switch - improved bond MAC flush for 88E6393X, 88E6191X and 88E6190 switches;
*) switch - improved hash calculation for 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98CX8410 switches (affects load balancing for bonds, ECMP routes, and VXLAN source port);
*) switch - improved ingress-rate limit precision for 88E6393X, 88E6191X and 88E6190 switches;
*) switch - rework ethernet counters (add tx-drop-queueX-byte/packet, tx-drop-byte/packet, tx-queueX-byte to /in/eth and updated GUI);
*) system - added support for OpenFlow 1.3 (new package "openflow" available);
*) system - do not automatically retry in case /system/package/update download fails;
*) system - fixed bb-upgrade failure on RB5009;
*) system - improved system configuration journaling procedure;
*) system - merge /system/resource/usb and /system/resource/pci into /system/resource/hardware and create a device tree;
*) usb - improved system stability after unplugging USB device for RB5009;
*) user - change /user/active/request-logout to /user/active/remove;
*) vrrp - added proxy-arp support;
*) vrrp - fixed sync-connection-tracking issue when parent interface is disabled/enabled;
*) vrrp - improved responsiveness when router has many IP addresses depending on VRRP state;
*) vrrp - make MTU property read-only;
*) vxlan - added checksum and learning properties;
*) webfig - added token authentication (no password prompt on reload or new window, logout button will log out all related sessions, removing a user will disconnect from active sessions);
*) webfig - allow network map scrolling in Dude;
*) webfig - basic mobile keyboard support for terminal;
*) webfig - do not show Keepalive if not set in GRE Tunnel form;
*) webfig - filter out unusable Bands and Channels for wifi interfaces;
*) webfig - fixed an issue where dynamic dropdown lists were hidden despite having values;
*) webfig - fixed hiding New button with skins;
*) webfig - fixed skin limits for radio buttons;
*) webfig - fixed Target field duplicate when disabling simple queue;
*) webfig - improved stability when displaying read-only scripts;
*) webfig - make columns a bit wider in tables;
*) webfig - make the Close buttons actual buttons, not links;
*) webfig - mask certain fields where values match default value;
*) webfig - more space to branding logo;
*) webfig - redesign logical "not" operator selector;
*) webfig - remove duplicate flag labels in QuickSet tables;
*) webfig - show system note on login;
*) webfig - use lexicographical sort in dropdown lists;
*) wifi - added tr069 support for wifi interfaces;
*) wifi - avoid picking 5GHz channels by default which are unlikely to be supported by clients, can be overridden with channel.deprioritize-unii-3-4 (CLI only);
*) wifi - restart CAPsMAN only on significant configuration changes;
*) winbox - added Address List Extra Time under "IP/DNS" menu;
*) winbox - added Digest Algorithm under "System/Certificates" menu;
*) winbox - added EAP identity under "WiFi/Registration" menu;
*) winbox - added Heartbeat under "Bridge/MLAG" menu;
*) winbox - added Installation under "WiFi" menu;
*) winbox - added missing Comments under "User Manager" menus;
*) winbox - added missing WPA2 PSK SHA2 option under "WiFi/Security" menu;
*) winbox - added MPLS Mangle;
*) winbox - added option to create new entries under "System/Users/SSH Keys" menu;
*) winbox - allow to specify CAPsMAN Address as IPv6 LL;
*) winbox - bump minimal WinBox version to 3.42;
*) winbox - correctly unset Locked CAPsMAN field;
*) winbox - differentiate PPP Profile Rx/Tx Queue settings;
*) winbox - display errors from the "Files/Sync" menu;
*) winbox - fixed container RAM parameter type;
*) winbox - fixed Record Type field under "Tools/Netwatch" menu;
*) winbox - make IPv6 Immediate Gateway read-only;
*) winbox - make log message field as multiline;
*) winbox - move CAPsMAN settings button from Remote CAP to WiFi table;
*) winbox - rename Ping Timeout field to Interval;
*) winbox - rename SMS Type field to Modem Type;
*) winbox - rework LTE firmware upgrade buttons into one window;
*) winbox - show "Switch" related menus only on boards that support such features;
*) winbox - use same WireGuard default values as in console;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

rextended · Wed May 28, 2025 1:02 pm

*) bgp - decode and log notifications;

Thanks...

*) routing-filter - added filter-wizard (filter generator with v6-like syntax);

Uh....

loloski · Wed May 28, 2025 1:32 pm

*) system - added support for OpenFlow 1.3 (new package "openflow" available);
*) bgp - added initial EVPN support;

Wow!!! very exciting indeed!

edupre · Wed May 28, 2025 1:40 pm

*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;

Could you look also to unblocked the GPON reading? Like rx and tx power?

FezzFest · Wed May 28, 2025 1:51 pm

230 changes in v7.20beta2, impressive! BGP EVPN is a great addition, looking forward to set it up in the lab.

loloski · Wed May 28, 2025 2:01 pm

routing-filter wizard is also available in both CLI and winbox, but it's one way you can create routing filter using wizard but not edit it using the same wizard dialog but this is progress :)

Cha0s · Wed May 28, 2025 2:20 pm

Yes, routing-filter wizard is nice to have, but does not replace the need to have the ability to edit, copy and edit filters like we had on v6.
Also with the v6 filters you could do filtering, sorting, etc on winbox list making it easy to manage hundreds of filters. Now its all just text based with worse usability.

Also, anyone upgrading and using BGP, keep in mind that in my test router all BGP peers could not connect after upgrading because the new bgp instance feature did not contain my local AS number. Once I manually set it on the instance, then they could connect.

How are we supposed to remotely upgrade BGP routers when the time comes? There must be a way for the BGP instance to pick up the proper local AS number so that the peers connect after the reboot.

trmns · Wed May 28, 2025 2:23 pm

sniffer - added CPU number and fast-path status in per-packet comment;

How does this work, if enabling sniffer turns off fast-path?

Wed May 28, 2025 2:32 pm

Run sniffer with option fast-path=yes specified.

sniffer - added CPU number and fast-path status in per-packet comment;
How does this work, if enabling sniffer turns off fast-path?

mrz · Wed May 28, 2025 2:32 pm

Also, anyone upgrading and using BGP, keep in mind that in my test router all BGP peers could not connect after upgrading because the new bgp instance feature did not contain my local AS number. Once I manually set it on the instance, then they could connect.

send a supout file from v7.19 to support. To see what bgp config exactly you had.

CTassisF · Wed May 28, 2025 2:54 pm

*) container - enable check-certificate by default for new remote imports;

This is great, unfortunately images in https://docker.io (https://registry-1.docker.io) don't appear to be supported by the built-in root certificate authorities (/certificate/settings/set builtin-trust-anchors=trusted).

trmns · Wed May 28, 2025 2:56 pm

Run sniffer with option fast-path=yes specified.

How does this work, if enabling sniffer turns off fast-path?

I see, how would I do that? I am in /tool/sniffer right now, but I don't see the option anywhere. Also, is it more taxing on the CPU to add a comment to each packet? One of my cores on my RB5009 is on 99% usage when running the sniffer while executing a speedtest and I do not get a full 1 gbit anymore (around 700mbit)

wispmikrotik · Wed May 28, 2025 3:17 pm

How are we supposed to remotely upgrade BGP routers when the time comes? There must be a way for the BGP instance to pick up the proper local AS number so that the peers connect after the reboot.

Hi,

L009:

BGP not working.

Ipsec not working:

Every new version is a disaster.... Reverting to v7.19.1 resolves the issues (the AS and router ID in BGP are incorrect when reverting to the previous version).

Sit75 · Wed May 28, 2025 3:35 pm

Mediatek WiFi driver? It seems WiFi 7 is close, I hope. ;-) But it makes sense, OpenWrt Two is on horizon.

spippan · Wed May 28, 2025 3:47 pm

How are we supposed to remotely upgrade BGP routers when the time comes? There must be a way for the BGP instance to pick up the proper local AS number so that the peers connect after the reboot.
Hi,

L009:

BGP not working.

Ipsec not working:

Every new version is a disaster.... Reverting to v7.19.1 resolves the issues (the AS and router ID in BGP are incorrect when reverting to the previous version).

maybe this is a issue with an incomplete or sloppy bgp/ipsec configuration
never had such issues with any of bgp and ipsec related setups

edit:
changelog even mentions caution
*) bgp - introduced BGP instance configuration (note, downgrading to earlier versions without instance support may cause config issues);

lurker888 · Wed May 28, 2025 3:52 pm

Mediatek WiFi driver? It seems WiFi 7 is close, I hope. ;-) But it makes sense, OpenWrt Two is on horizon.

I couldn't help my curiosity and peeked into the npk for wifi-mediatek, and it contains drivers for the mt7916 (Filogic 630) and the mt7996. The latter is a WiFi 7 tri-band concurrent solution. With this I think Mikrotik can catch up to their competitors in AP capabilities...

Sit75 · Wed May 28, 2025 3:59 pm

But WiFi 6 only. :-(

Mediatek WiFi driver? It seems WiFi 7 is close, I hope. ;-) But it makes sense, OpenWrt Two is on horizon.
I couldn't help my curiosity and peeked into the npk for wifi-mediatek, and it contains drivers for the mt7916 (Filogic 630) and the mt7996. The latter is a WiFi 7 tri-band concurrent solution. With this I think Mikrotik can catch up to their competitors in AP capabilities...

BrateloSlava · Wed May 28, 2025 4:01 pm

*) wifi - avoid picking 5GHz channels by default which are unlikely to be supported by clients, can be overridden with channel.deprioritize-unii-3-4 (CLI only);

Any additional information, please.

lurker888 · Wed May 28, 2025 4:05 pm

But WiFi 6 only. :-(

You mean Mikrotik will only enable WiFi 6? The 7916 is 6/6E, but the 7996 is clearly marketed as WiFi 7.

mmtik · Wed May 28, 2025 4:08 pm

*) ip - added socksify feature and new NAT action "socksify";

Where can I read about this?

Wed May 28, 2025 4:10 pm

But WiFi 6 only.
You mean Mikrotik will only enable WiFi 6? The 7916 is 6/6E, but the 7996 is clearly marketed as WiFi 7.

Love you you guys know so much about mikrotik's plans

msilcher · Wed May 28, 2025 4:17 pm

*) ipsec - fixed degraded IPsec performance for IPQ-6010 (introduced in v7.17);

Could you elaborate on this one?

blacksnow · Wed May 28, 2025 4:20 pm

*) arm - improved system stability when processing encrypted traffic;

I can confirm, wireguard handles much better in 7.20b2, I've narrowed the issue on ingress to a packet buffer problem. For example iperf coming from a 10G/25G line into the router (wireguard) and out to a 2.5G or 1G client results in a slower output (max around 800Mb/s) and lots of tx-queue-drops on the ingress 25G port. But this is an understandable problem, I don't think even my CCR2216 has deep enough packet buffers for this kind of situation, especially when using BBR.

Stable TCP throughput on wireguard is now at approximately ~1.8Gb/s with 4 parallel threads on iperf3 on the CCR2216 and I'm not seeing any weird RX errors on my WG interface (as of yet).

Stable UDP throughput on wireguard is now at approximately ~1.5Gb/s with 4 parallel threads on iperf3 on the CCR2216.

Flooding the router with excessive UDP traffic (10G+) no longer kills/crashes the router, but you can still DDOS the target at the other end of the WG tunnel by effectively consuming all the bandwidth which makes sense and is no different than a regular DDOS without wireguard.

Issues:

The below code does not work, it outputs "Invalid File Name".

/export show-sensitive file=/sata1-part1/backup/test.rsc

ToTheFull · Wed May 28, 2025 4:24 pm

MT7996
Oooer, shut-up and take my money :)

MT7996
Filogic 680
May 2023 	4x4 	4x4 	4x5 	
Up to 13.5 Gbit/s 	
4096-QAM 	
Up to 320 MHz

osc86 · Wed May 28, 2025 5:46 pm

*) ipv6 - added support for IPv6 ND proxying of individual addresses;

thanks, please add support for prefixes

buset1974 · Wed May 28, 2025 6:25 pm

having problem with routing bgp instance after upgrade.

thx

itimo01 · Wed May 28, 2025 6:52 pm

You mean Mikrotik will only enable WiFi 6? The 7916 is 6/6E, but the 7996 is clearly marketed as WiFi 7.
Love you you guys know so much about mikrotik's plans :D

They know more than Mikrotik themselves ;)

noradtux · Wed May 28, 2025 7:14 pm

How are we supposed to remotely upgrade BGP routers when the time comes? There must be a way for the BGP instance to pick up the proper local AS number so that the peers connect after the reboot.
Hi,

L009:

BGP not working.

Ipsec not working:

Every new version is a disaster.... Reverting to v7.19.1 resolves the issues (the AS and router ID in BGP are incorrect when reverting to the previous version).

You realise this is an early beta? Report the issue, I am sure they will fix this before rc.

noradtux · Wed May 28, 2025 7:18 pm

Yay, my container-removal-issue is fixed \o/
Now, what might the container property "auto-restart-interval" do? Does it restart a container at regular intervals or does it restart crashed containers (or maybe something else)?
Otherwise, CCR2116, CRS317 and Chateau 5G AX upgraded and running without issues.

EDIT:
Found out, auto-restart-interval restarts containers on failure. Nice, one fidely scheduler less.

Sit75 · Wed May 28, 2025 7:38 pm

Additional evergreen (beside of memory leak), ROM space shortage on 16MB hAP ac^2 with wifi-qcom-ac. It is quite obvious - RouterOS 7.20 for ARM is roughly 100kB bigger than RouterOS 7.19. Netinstall procedure has been applied with manual configuration.

Paternot · Wed May 28, 2025 7:46 pm

Several fixes for switch 88E6393X! Maybe it will solve my 2,5Gbps problems? One can always hope. :D

noradtux · Wed May 28, 2025 7:51 pm

Love the separate log for containers :)

BrateloSlava · Wed May 28, 2025 8:25 pm

The DHCPv6 client is broken. The pd-prefix parameter is filled incorrectly.
On version 7.19.1, this script works fine in the DHCPv6 client

:if ($"pd-valid" = 1) do={
  /ipv6 firewall address-list remove [find list=allowed]
  :delay 1s
  /ipv6 firewall address-list add address=$"pd-prefix" comment="!!! Check YOUR pool from ISP" list=allowed
  /ipv6 firewall address-list add address=fe80::/16 list=allowed
  /ipv6 firewall address-list add address=ff02::/16 comment=multicast list=allowed
  :delay 1s
}

In version 7.20beta, the pd-prefix parameter has an “@” instead of a subnet mask.

We're getting an error:

(dhcp-ia) failure: 2a00:1220:a:d::/@ is not a valid dns name (/ipv6/firewall/address-list/add; line 4)

I had to rewrite the script:

:local okAddr "/64"
:local locTmp ""
:if ($"pd-valid" = 1) do={
  /ipv6 firewall address-list remove [find list=allowed]
  :delay 1s
  :set locTmp [/ipv6/dhcp-client/get value-name=prefix number=0]
  :set okAddr [:pick $locTmp 0 [:find $locTmp ","]]
  /ipv6 firewall address-list add address=$okAddr comment="!!! Check YOUR pool from ISP" list=allowed
  /ipv6 firewall address-list add address=fe80::/16 list=allowed
  /ipv6 firewall address-list add address=ff02::/16 comment=multicast list=allowed
  :delay 1s
}

Amm0 · Wed May 28, 2025 9:07 pm

Lots of good changes in container!

On these specifically...

*) container - added option to execute commands inside a container using "/container/shell cmd= user=";

I tried this out, works! But... few minor issues with it...

- should be some timeout= on it (or something)... since if the command has an error... it drops you to the interactive shell prompt. Meaning that if cmd= was used in a script (and cmd had error), it HANG a script.

- on /container/shell cmd= ... it be nice if had some "start-if-stoppped=yes" too, so it be closer to "docker run". I wanted to try using command like "awk"/"sed"/etc from RouterOS script, but ran into that default alpine image does not stay running (so need the "tail -f /dev/null" and start-on-boot=yes to use the new cmd= syntax) — so be nice if the "use alpine to run UNIX shell commands" use case worked without a lot pre-configuration.

- Overall, the CLI experience could still be improved in container. Beyond the asynchronous nature of /container commands which makes scripting start/stop/etc difficult. But the new errors (below) do not appear in terminal, and NO ERROR results from CLI POV from remote-image= things (like from check-certificates=yes). Error should show up WITHOUT using /container/print

*) container - enable check-certificate by default for new remote imports;
*) container - improved error and log messages;

I tried using the default container settings, so lscr.io as the "presumed-registry" to load alpine for above. But remote-tag= is still pretty picky, so just "alpine" or "alpine:latest" did not work. The good news the "improved error and log messages" were helpful! The bad news is I got various errors trying to find a remote-tag that work for alpine... eventually "ghcr.io/linuxcontainers/alpine:latest" worked (which bypassed default lscr.io)...

Specific issues:
- perhaps the default for the /certificates/builtin should be to be enabled as this one may not be obvious to everyone especially if default is now to check-certificates...
- registry-1.docker.io does get the SSL cert error EVEN with built-in certs enabled
- default registry of lscr.io got an authentication error using just "linuxcontainers/alpine:latest" as remote-tag – I'm still not sure why, perhaps its just lscr.io logic for tags, but maybe a bug on RouterOS?

npeca75 · Wed May 28, 2025 11:17 pm

*) snmp - added SNMP OIDs for firewall connection tracking "total-entries", "total-ip4-entries" and "total-ip6-entries";

on which OIDs ?

itimo01 · Wed May 28, 2025 11:18 pm

*) snmp - added SNMP OIDs for firewall connection tracking "total-entries", "total-ip4-entries" and "total-ip6-entries";
on which OIDs ?

https://download.mikrotik.com/routeros/ ... krotik.mib

memelchenkov · Wed May 28, 2025 11:25 pm

"arm - improved system stability when processing encrypted traffic;" — Can you please describe in more detail, in what cases? Is this related to IPSEC?

LordNikkon · Wed May 28, 2025 11:52 pm

"arm - improved system stability when processing encrypted traffic;" — Can you please describe in more detail, in what cases? Is this related to IPSEC?

Agree. More details please.

chojrak11 · Thu May 29, 2025 12:28 am

Additional evergreen (beside of memory leak), ROM space shortage on 16MB hAP ac^2 with wifi-qcom-ac. It is quite obvious - RouterOS 7.20 for ARM is roughly 100kB bigger than RouterOS 7.19. Netinstall procedure has been applied with manual configuration.

Come on, buy a decent newer router already.

Amm0 · Thu May 29, 2025 12:46 am

Additional evergreen (beside of memory leak), ROM space shortage on 16MB hAP ac^2 with wifi-qcom-ac. It is quite obvious - RouterOS 7.20 for ARM is roughly 100kB bigger than RouterOS 7.19. Netinstall procedure has been applied with manual configuration.
Come on, buy a decent newer router already.

FWIW, most early beta's are generally bigger than the final stable package. Still a lot of 16MB flash units in production, so problem is not limited to hAPac2 (which is a great router, albeit dated)

dormancygrace · Thu May 29, 2025 12:47 am

*) ip - added socksify feature and new NAT action "socksify";

Is there documentation?

Amm0 · Thu May 29, 2025 2:05 am

*) ip - added socksify feature and new NAT action "socksify";
Is there documentation?

While there should be. You can almost guess...

/interface/list add name=REQUIRE_PROXY
/interface/list/member add list=REQUIRE_PROXY interface=<what-interface-to-force-sock-proxy>
/ip/firewall/nat/add action=socksify socks5-port=1080 socks5-server=127.0.0.1 in-interface-list=REQUIRE_PROXY chain=<input-or-srcnat>

My question is should the chain= be "input" or srcnat/etc... I'm kinda not sure why it's NAT, since it seem like a "mangle thing", not NAT. But I guess that comes later in packet flow. And likely before other NAT rules depending on specific filter. But docs be helpful and clarify...

Now that EVPN is underway... and this new"sockify" Netfilter action... just missing some:
/ip/firewall/mangle action=ebpf ebfp-module=disk1/my-eBPF-code that allow the sockify-like scheme to be extended to other custom things.

loloski · Thu May 29, 2025 2:15 am

@MT
Openflow seems to work with faucet at first try the question is how does hardware offload came into play? since the ports is being handled now in the openflow->ports not in the bridge could you please give clarity on this please?

garlicbulb · Thu May 29, 2025 2:41 am

Will input.filter-nlri will now allow you "discard" a prefix rather than added it as "filtered"? Can you add that filter via the GUI?

syadnom · Thu May 29, 2025 4:21 am

Can wait to see some EVPN docs to test out as well as to see what sort of hardware accel support/performance we might see.

MatiasMK88 · Thu May 29, 2025 4:31 am

Can wait to see some EVPN docs to test out as well as to see what sort of hardware accel support/performance we might see.

https://web.archive.org/web/20250514194 ... 83568/EVPN

https://pastebin.com/QRVdNsjb

loloski · Thu May 29, 2025 5:20 am

@MatiasMK88

Great your lab works OOB in GNS3 will going to lab it on real hardware this week and see if this will fly thanks a ton

1.png

loloski · Thu May 29, 2025 6:03 am

/routing/route/print where afi="evpn" yields no result this is clearly a bug

[admin@PE1] > /routing/route/print
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, b - BGP, o - OSPF, e - EVPN
Columns: DST-ADDRESS, GATEWAY, AFI, ROUTING-TABLE, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
   DST-ADDRESS                                    GATEWAY          AFI   ROUTING-TABLE  DISTANCE  SCOPE  TA  IMMEDIATE-GW
Ac 10.0.0.0/31                                    ether1           ip    main                  0     10   5  ether1
Ao 10.0.0.2/31                                    10.0.0.0%ether1  ip    main                110     20  10  10.0.0.0%ethe>
Ao 172.31.255.253/32                              10.0.0.0%ether1  ip    main                110     20  10  10.0.0.0%ethe>
Ac 172.31.255.254/32                              lo               ip    main                  0     10   5  lo
Ao 172.31.255.255/32                              10.0.0.0%ether1  ip    main                110     20  10  10.0.0.0%ethe>
Uc fe80::/64                                      ether2           ipv6  main                  0     10   5
Ac fe80::/64                                      ether1           ipv6  main                  0     10   5  ether1
Ac fe80::/64                                      bridge1          ipv6  main                  0     10   5  bridge1
Ac ::1/128                                        lo               ipv6  main                  0     10   5  lo
A  lo                                                              link  main                  0
A  ether1                                                          link  main                  0
A  ether12                                                         link  main                  0
A  bridge1                                                         link  main                  0
A  Cust2-EVPN                                                      link  main                  0
Ab [172.31.255.253:256]imet:0|172.31.255.253      172.31.255.253   evpn                      200     40  30  10.0.0.0%ethe>
 e [172.31.255.254:256]imet:0|172.31.255.254      172.31.255.254   evpn                      200     40  10
Ab [172.31.255.253:256]macip:0|56:AD:63:7D:2D:1C  172.31.255.253   evpn                      200     40  30  10.0.0.0%ethe>
 e [172.31.255.254:256]macip:0|7A:6D:6F:5F:D6:B3  172.31.255.254   evpn                      200     40  10

[admin@PE1] > /routing/route/print where afi="ip"
Flags: A - ACTIVE; c - CONNECT, o - OSPF
Columns: DST-ADDRESS, GATEWAY, AFI, ROUTING-TABLE, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
   DST-ADDRESS        GATEWAY          AFI  ROUTING-TABLE  DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW
Ac 10.0.0.0/31        ether1           ip   main                  0     10             5  ether1
Ao 10.0.0.2/31        10.0.0.0%ether1  ip   main                110     20            10  10.0.0.0%ether1
Ao 172.31.255.253/32  10.0.0.0%ether1  ip   main                110     20            10  10.0.0.0%ether1
Ac 172.31.255.254/32  lo               ip   main                  0     10             5  lo
Ao 172.31.255.255/32  10.0.0.0%ether1  ip   main                110     20            10  10.0.0.0%ether1
[admin@PE1] > /routing/route/print where afi="evpn"

[admin@PE1] >

nichky · Thu May 29, 2025 7:34 am

when we will get some VRF improvement? The following hasn't it been improved:

- does not redistribute def route insite the VRF
- access from vrf--> main-table; is not working at all

nichky · Thu May 29, 2025 7:41 am

*) bth - added extra file-share functionality for use with apps;

can i get more info pls

bajodel · Thu May 29, 2025 7:51 am

Great your lab works OOB in GNS3 will going to lab it on real hardware this week and see if this will fly thanks a ton
..[CUT]..

Very cool! let us know how it goes.
BTW ..what's the name of your nice icon set in GNS3 ?

Amm0 · Thu May 29, 2025 8:44 am

*) container - added option to execute commands inside a container using "/container/shell cmd= user=";
*) system - added support for OpenFlow 1.3 (new package "openflow" available);

OpenFlow seems to work with Faucet as a /container. Good work.

But the scripting around /container is still a PITA, since status things (stopped, extracting, etc) is asynchronous - so not easy to add/remove containers. But new "/container/shell cmd=" also seems work & super useful... so I wrote a script to set up the Faucet OpenFlow controller as /container to test it. The script below sets up Faucet as container along with ALL needed OpenFlow configuration to create a dumb switch, similar to MikroTik's example, just from RouterOS array with Faucet config. Script is far from perfect (or even good example)... more wanted to show where the scripting still has some rough edges to deal with /container (see MANY :delay's below, and 100+ lines code to polling status isn't much better):

{
:local rootpath "disk1/faucet"
:local ofports {"ether6";"ether7"}

:put "remove any previous faucet containers"
/interface/veth remove [find name=veth-faucet]
/ip/address remove [find comment=faucet]
:if ([:len [/container/find name=faucet]]>0) do={
    :put "...removing existing faucet container"
    :do { 
        /container stop [find name=faucet]
        :delay 31s } on-error={}
    /container remove [find name=faucet]
    :delay 2s
    /ip/address remove [find comment=faucet]
    /interface/veth remove [find name=veth-faucet]
    /openflow port remove [find switch=faucet]
    /openflow remove [find name=faucet]
}

:put "add faucet container"
/interface/veth add address=172.19.7.7/24 gateway=172.19.7.1 gateway6="" name=veth-faucet
/ip/address add address=172.19.7.1/24 interface=veth-faucet network=172.19.7.0 comment=faucet
/container add name=faucet interface=veth-faucet logging=yes root-dir=$rootpath start-on-boot=yes check-certificate=no remote-image=registry-1.docker.io/faucet/faucet:latest
:put "waiting for extract of faucet..."
:delay 60s
/container start [find name=faucet]
:delay 10s
:put "started, adding config..."

:put "setup OpenFlow"
/openflow add controllers=tcp/172.19.7.7/6653 disabled=no name=faucet verify-peer=none version=1.3 datapath-id=0/00:00:00:00:00:07
:delay 3s
:foreach p in=$ofports do={
    /openflow port add disabled=no interface=$p switch=faucet
}

:put "calculate 'dp_id' needed for faucet config"
:local dpidnum 7  
# TODO: previously the datepath-id was automatically generated... 
#    ... but getting datapath-id to a number/hex for faucet config was just too hard/annoying
#  :local dpidarr [:deserialize delimiter=":" from=dsv options=dsv.plain [:pick [/openflow/get [find] datapath-id ] 2 64]]     
#  :local dpid "0$[:pick [/openflow/get [find] datapath-id ] 0 1]"
#  :foreach h in=($dpidarr->0) do={:set dpid "$dpid$h"}
#  :local dpidnum [:convert from=hex to=num $dpid]
:put "...using $dpidnum from $[/openflow/get [find] datapath-id ]"

:put "generate a faucet config file (to be added to container)"
:local faucetConfig {
    "vlans"={
        "vlan100"={
            "vid"=100;
            "description"="untagged"
        }
    };
    "acls"={
        "allowall"={
            {
                "rule"={
                    "actions"={"allow"=1}
                }
            };
        }
    };
    "dps"={
        "routeros"={
            "dp_id"=$dpidnum;
            "hardware"="Generic";
            "drop_broadcast_source_address"=false;
            "drop_spoofed_faucet_mac"=false;
            "interfaces"={}          
        }
    }
}
:foreach p,n in=$ofports do={
    :set ($faucetConfig->"dps"->"routeros"->"interfaces"->"$[:tostr ($p+1)]") {
        "acl_in"="allowall"; 
        "name"="$n";
        "native_vlan"="vlan100"
    }
}


# uses new /container shell cmd= to add a configuration file 
# (via RouterOS array to JSON then python in container to get YAML for faucet.yaml 
:put "save default config to /tmp"
/container/shell [find name=faucet] cmd="mv /etc/faucet/*.yaml /tmp"
:delay 2s

:put "serialize faucet ROS array config into JSON"
:local jsonconf [:serialize $faucetConfig to=json options=json.pretty]
:put $jsonconf

:put ""
:put "use python inside container to get YAML, using 7.20+ new /container/shell cmd="
/container/shell [find name=faucet] cmd="echo '$jsonconf' | python -c 'import sys, yaml, json; yaml.dump(json.load(sys.stdin), sys.stdout)' > /tmp/faucet-new.yaml"
:delay 2s
/container/shell [find name=faucet] cmd="echo \"---\n\" > /etc/faucet/faucet.yaml"
/container/shell [find name=faucet] cmd="python3 -c 'import yaml, sys; d = yaml.safe_load(sys.stdin); d[\"dps\"][\"routeros\"][\"interfaces\"] = {int(k): v for k, v in d[\"dps\"][\"routeros\"][\"interfaces\"].items()}; yaml.dump(d, sys.stdout, sort_keys=False)' < /tmp/faucet-new.yaml >> /etc/faucet/faucet.yaml"

/container/shell [find name=faucet] cmd="cat /etc/faucet/faucet.yaml"
:delay 2s

:put "check and apply configuration"
/container/shell [find name=faucet] cmd="check_faucet_config /etc/faucet/faucet.yaml"
:delay 2s
/container/shell [find name=faucet] cmd="pkill -HUP -f faucet.faucet"
}

But specifically OpenFlow's datapath-id needs to be number(integer) for Faucet, but converting the X/YY:YY:YY:YY:YY:YY into a number is not easy. It be handy if the OF datapath-id was a status/read-only attribute as an int.

edits:
- added additional :delay time — which is ugly way to script something — the /container should have some wait=yes or be more synchronous.

loloski · Thu May 29, 2025 8:57 am

This is a default icon set on gns3 v3.0.4 on my docker home lab, i think the icon set called affinity blue

millenium7 · Thu May 29, 2025 9:03 am

*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;

A step in the right direction but can you please add 'circuit ID' and 'Remote ID' as assignable variables to static leases (and then let you specify no MAC address)
That way we finally can use DHCP Option 82 directly on the router and not need to use an external RADIUS server

millenium7 · Thu May 29, 2025 9:17 am

*) routing-filter - added filter-wizard (filter generator with v6-like syntax);

Amazing. Thank you very much
Recreating routing filters was a PAINFUL experience when it couldnt' automatically be converted. I'm happy to use scriptable filters when it actually a benefit but 99% of the time its just tedius
This is at least a big step in the right direction. Ideally i'd also like to see a 'routing filter converter' wizard or terminal command where I can paste in a config export from V6 and it'll convert it to V7. The same way it does when upgrading from V6 to V7 - but that process is not possible when you are buying a router which only comes with V7 from factory

baragoon · Thu May 29, 2025 9:33 am

what is the point of BGP instance? looks like we have the same in the template?

millenium7 · Thu May 29, 2025 9:50 am

For anyone playing around with EVPN. I imagine the answer is no but can the tunnels be Traffic Engineered or are we still only able to do this with VPLS?

mrz · Thu May 29, 2025 9:54 am

what is the point of BGP instance? looks like we have the same in the template?

Instance was needed to link evpns, and also it will now allow to add other features that required per instance configuration.

CapFloor · Thu May 29, 2025 11:58 am

Seems the bridging capability for LTE is broken. If a connection on a bridged interface is established, the internet int't accesible anymore through the LTE-modem.

/interface lte apn
add add-default-route=no apn=internet.t-d1.de ip-type=ipv4 name="t-mobile FIXED" use-network-apn=yes use-peer-dns=no
/interface lte
add add-default-route=no apn=internet.t-d1.de ip-type=ipv4 name="t-mobile BRIDGE#1" passthrough-interface=net-050 passthrough-mac=auto \
    use-peer-dns=no
add add-default-route=no apn=internet.t-d1.de ip-type=ipv4 name="t-mobile BRIDGE#2" passthrough-interface=net-051 passthrough-mac=auto \
    use-peer-dns=no
set [ find default-name=lte1 ] allow-roaming=no apn-profiles="t-mobile FIXED,t-mobile BRIDGE#1,t-mobile BRIDGE#2" band=""

IPSEC ikev2 tunnels are only possible between Mikrotiks with v7.20beta. No ikev2 between v7.20beta and older versions independent from authentication method (eap-radius/pre-shared key/digital signature). No IPSEC ikev2 from Android to v7.20beta either, independent from the client (Standard, NCP, strongSwan).

bratislav · Thu May 29, 2025 12:22 pm

firewall - allow "dst-limit" matcher to work properly above value 10000;

Wow, I believe this is 18 year old issue...

by janisk » Wed Aug 22, 2007 12:28 pm

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings

So just be patient, everything will be solved eventually :)

wiktorbgu · Thu May 29, 2025 1:06 pm

*) ip - added socksify feature and new NAT action "socksify";
Is there documentation?

I pre-mark the connections I need to specific hosts in the prerouting chain and then route them to the socks.

/ip firewall nat add action=socksify chain=dstnat connection-mark=to_dpi in-interface-list=LAN socks5-port=1080 socks5-server=192.168.254.10

Works well, BUT does not support UDP like the built-in socks server. As a built-in method in ROS, this is very good.

Noticed that redirect loads the system less if I use a transparent proxy service in the container and a redirect rule to the service port

iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 4080

It is better to add the TPROXY module for iptables together with the containers package so that there are no problems with udp redirection in containers with network services.

One downside to the new release is the change of the standard VETH name inside the container from eth0 to the external name VETH, which will require adapting internal entrypoint scripts in many places.

There's a lot of great work going into this beta!

buset1974 · Thu May 29, 2025 3:30 pm

what is the point of BGP instance? looks like we have the same in the template?
Instance was needed to link evpns, and also it will now allow to add other features that required per instance configuration.

Could you take a look mrz, some people including me having problem after upgrading to v 7.20b.
I did not have any evpn setup just simple bgp and some of peers having problem with instance

Thx

ckleea · Thu May 29, 2025 3:36 pm

I have problems in previous working IPSec. Not working
Also my container has problems - could not find config.json. Not able to start

felixka · Thu May 29, 2025 4:42 pm

*) system - fixed bb-upgrade failure on RB5009;

Is this strictly to prevent this from happening in the future or does it perform any restoration/fixes on devices that have been damaged and restored manually?

teslasystems · Thu May 29, 2025 5:32 pm

*) console - replace TAB characters with spaces when editing scripts and added tab-width user configuration in /console/settings;

"added tab-width user configuration in /console/settings"
While this part is very nice for display purposes,

"replace TAB characters with spaces when editing scripts"
this part is a very bad change. I've lost all tabs in my scripts and when I need to edit them in some external editor, I need to restore them each time. Absolutely unacceptable.

Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console.

g22113 · Thu May 29, 2025 6:31 pm

After upgrade, IPsec using IKEv2 PSK fails to authenticate to strongSwan.

From strongSwan 5.9.8 (debian) peer logs:

charon-systemd[138861]: parsed IKE_AUTH request 1 [ IDi AUTH IDr N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
charon-systemd[138861]: looking for peer configs matching 83.171.28.107[XXX.sym]...193.219.181.0[EmberGW.sym]
charon-systemd[138861]: selected peer config 'embergw-lm'
charon-systemd[138861]: tried 1 shared key for 'XXX.sym' - 'EmberGW.sym', but MAC mismatched
charon-systemd[138861]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

This is using "secret=" on RouterOS, "remote { auth = psk }" in swanctl, no certificates.

TomSF · Thu May 29, 2025 7:46 pm

Has anyone had issues with IPv4 DHCP client? I have a remote router that cannot get an Internet connection from my ISP there. The ISP equipment and router have both been power cycled. The ISP can communicate with their equipment. My WiFi network seems to be working. But still no connection. The connection seems to have gone away at 01:00 which is the time my upgrade script would have installed the new update. I am dead in the water until I am physically there which will be 6/9 so cannot provide any more information and cannot rollback.

pe1chl · Thu May 29, 2025 8:58 pm

Are you really telling us that you do a nightly scripted install of each beta version on a router on a site where you are not physically present and have no other backdoor access to?

syadnom · Thu May 29, 2025 9:12 pm

Are you really telling us that you do a nightly scripted install of each beta version on a router on a site where you are not physically present and have no other backdoor access to?

I didn't want to post that but had the same though. Test on the bench guys, test on the bench!

syadnom · Thu May 29, 2025 9:13 pm

*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;
thank you thank you thank you for this!

Now I just want hardware accellerated vxlan on ipv6 :)

TomSF · Thu May 29, 2025 10:03 pm

Re: installing a beta via script, it is not a critical site so I take the risk. I know it is bad practice but it is just a nice-to-have-working site. I have never had a problem until now, but there is always a first time for everything. Once I get there, I will will roll back and figure out the DHCP client issue.

Amm0 · Thu May 29, 2025 11:01 pm

@MT
Openflow seems to work with faucet at first try the question is how does hardware offload came into play? since the ports is being handled now in the openflow->ports not in the bridge could you please give clarity on this please?

I'm curious too... Running some tests with faucet on RB1100AHx4... I see good amount of CPU in profile for "openflow" (although still below max), and various speed tests show ~200-300M using OpenFlow+Faucet (vs 700-900M when NOT passing through the ROS OF switch). So I'm not seeing HW offload there. And my current speeds via OpenFlow seem much slower than I expected... even considering older RB1100AHx4. I'll try RB5009 at some point with OpenFlow.

But if there are routers that HW offload OpenFlow, that be good to know...

soheilsh · Thu May 29, 2025 11:53 pm

Being forced 7.20 to use Winbox 4 with this terrible GUI is complete dictatorship. Remove this requirement as soon as possible. Instead of doing this, improve masquerade NAT and add FastTrack support for x86.

Kentzo · Fri May 30, 2025 12:54 am

*) container - allow to use multiple veths in a container, change the in container interface name to same as in RouterOS;

Finally I will be able to move Homebridge to ax^3.

teslasystems · Fri May 30, 2025 1:11 am

Being forced 7.20 to use Winbox 4 with this terrible GUI is complete dictatorship. Remove this requirement as soon as possible.

Update to WinBox 3.42

loloski · Fri May 30, 2025 2:03 am

I'm curious too... Running some tests with faucet on RB1100AHx4... I see good amount of CPU in profile for "openflow" (although still below max), and various speed tests show ~200-300M using OpenFlow+Faucet (vs 700-900M when NOT passing through the ROS OF switch). So I'm not seeing HW offload there. And my current speeds via OpenFlow seem much slower than I expected... even considering older RB1100AHx4. I'll try RB5009 at some point with OpenFlow.

But if there are routers that HW offload OpenFlow, that be good to know...

Thanks for the quick test and that is somehow expected, for sure this can be improved in the next few release at least the wait is over and now the fun part begins

Amm0 · Fri May 30, 2025 4:03 am

*) container - allow to use multiple veths in a container, change the in container interface name to same as in RouterOS;
Finally I will be able to move Homebridge to ax^3.

I didn't have good luck on this multiple veths to homebridge however...

Now did get to see what these look like:

*) container - display any error prominently in WinBox;
*) container - improved error and log messages;

Tried a couple times, but I kept getting [one of the new] error messages on RB1100AHx4 when using TWO VETHs for homebridge...
Specifically:
# could not acquire interface: veth-homebridge-scz get ifindex failed (6)

with config:

/container add check-certificate=no interface=veth-homebridge-dsi,veth-homebridge-scz \
logging=yes mounts=homebridge name=homebridge root-dir=disk1/homebridge \
start-on-boot=yes workdir=/homebridge remote-image=registry-1.docker.io/homebridge/homebridge:latest check-certificate=no

Container extracts okay, and gets to stopped state. But when you go to "start" that when get this error.

Worse...even when container is stopped (since it got that error), one of the VETH shows running & cannot be removed:

/interface/veth/print
Flags: X - disabled; R - running 
 0  R name="veth-faucet" address=172.19.7.7/24 gateway=172.19.7.1 gateway6="" 
 1  R name="veth-homebridge-dsi" address=192.168.163.249/24 gateway="" gateway6="" 
 2    name="veth-homebridge-scz" address=192.168.74.249/24 gateway=192.168.74.1 gateway6=""
 /container/print detail 
 1 S ;;; could not acquire interface: veth-homebridge-scz get ifindex failed (6)
     check-certificate=no name="homebridge" 
     tag="registry-1.docker.io/homebridge/homebridge:latest" os="linux" 
     arch="arm" interface=veth-homebridge-dsi,veth-homebridge-scz envlists="" 
     cmd="" entrypoint="" stop-signal=15-SIGTERM root-dir=disk1/homebridge 
     mounts=homebridge hostname="" domain-name="" workdir="/homebridge" 
     logging=yes start-on-boot=yes auto-restart-interval=none 
     memory-high=unlimited devices="" passed-devs="" config-json=...

/interface/veth> remove 1
failure: in use by container

If I remove one of the VETH from the /container, and leave the one NOT running configured for use... I get a different error:
;;; could not acquire interface: same set of overlapping interfaces must be used for different containers that run at the same time (6)

And only a reboot will allow the "stuck" VETH to be removed. Disabling it has no effect, got same "failure: in use by container" when trying to remove - which is odd since it is disabled... The stuck VETH show "R - running" just for the failed tried to be added to /container with MULTIPLE VETHs....

Somewhat unrelated but... at least in WinBox4... there are TWO editable Mounts items shown in dialog box for container:

mounts-shown-twice.png

MatiasMK88 · Fri May 30, 2025 5:55 am

Being forced 7.20 to use Winbox 4 with this terrible GUI is complete dictatorship. Remove this requirement as soon as possible. Instead of doing this, improve masquerade NAT and add FastTrack support for x86.

Just because you don't like the interface doesn't mean it's ugly. On the other hand, I agree with you that we need improvements in NAT, but at the Carrier Grade NAT (CGNAT) level.

MatiasMK88 · Fri May 30, 2025 5:59 am

Hi Mikrotik, we understand that things like tunnels need to be improved, but we need improvements in NAT at the Carrier Grade NAT (CGNAT) level. We need BFD and everything that's on the roadmap for that protocol to be fully implemented. We hope to find a solution very soon. Some of us use Mikrotik for ISPs, not for tunnels to watch movies or video cameras.

sch · Fri May 30, 2025 7:48 am

@Amm0, please get in touch with us and send supout.rif file.

xrlls · Fri May 30, 2025 11:16 am

*) iot - iot-bt-extra package stability improvement and additional dongle support;

I am seeing some issues with this. After upgrading my Bluetooth adapter shows as offline:

/iot/bluetooth/print detail 
Flags: X - offline 
 0 X name="bt1" public-address=A8:6E:84:47:98:0E random-static-address=E5:7B:B3:01:AD:73 antenna=internal

And this is whether it is connected or not. For now it is connected:

/system/resource/hardware/print 
Columns: LOCATION, TYPE, VENDOR, NAME, SPEED, DEVICE-PATH, OWNER
# LOCATION  TYPE  VENDOR                NAME                           SPEED  DEVICE-PATH      OWNER 
0 1-0       usb   Linux 5.6.3 xhci-hcd  xHCI Host Controller             480  bus/usb/001/001        
1 1-1       usb                         TP-Link Bluetooth USB Adapter     12                   system
2 2-0       usb   Linux 5.6.3 xhci-hcd  xHCI Host Controller            5000  bus/usb/002/001

Now, I of course do not know whether this TP-Link UB400 adapter is supported. But it has previously been indicated by MikroTik that it might be in a future version.

Also, I tried to remove both the iot and the iot-bt-extra packages, and reinstall them, but this made no difference. Concerningly, the configurations are persistent enough that my MQTT broker config survived the removal and reinstall of the iot package.

eworm · Fri May 30, 2025 11:49 am

Something is wrong with file handling...

[admin@MikroTik] > /file/add type=directory name=tmpfs/test
[admin@MikroTik] > /file/print where name="tmpfs/test" type=directory

[admin@MikroTik] >

Why is the directory not shown?

eworm · Fri May 30, 2025 11:53 am

Oh...

[admin@MikroTik] > /file/print recursive where name="tmpfs/test" type=directory
  Flags: S - shared 
 #   NAME                            TYPE             SIZE LAST-MODIFIED       
 4   tmpfs/test                      directory             2025-05-30 10:45:45 
[admin@MikroTik] >

Well, that breaks a lot of (my) scripts... And there is no easy workaround to make this run with all RouterOS versions - when was "recursive" introduced?

pe1chl · Fri May 30, 2025 2:32 pm

This change is probably related to the re-purposing of RouterOS as a NAS OS...
Before, the traversal of the entire file tree was implicit and it caused little problem because the tree was usually small (although I do not like that e.g. the user manager trees are always shown when opening files).
But with the new usage as a NAS, the tree may contain millions of files and this had to be changed.

eworm · Fri May 30, 2025 3:18 pm

Yes, pretty sure it is related with these changes. Anyway... I give a specific path, and I do not want to go recursively into that path. It does not make sense to scan a complete structure just to know if a single file or directory (with given path and name!) exists...

sid5632 · Fri May 30, 2025 3:33 pm

The change log for beta 2 has some UTF8 stupidity, probably at least 1 more code operation than decode on these lines:

bridge - added dynamic tagged entry named â€œswitch-cpuâ€ in scenarios
cloud - reduced â€œBTH Filesâ€ ping interval
fetch - display file sizes between 1â€“1023 bytes

The first in hex:

named â€œswitch-cpuâ€� in scenarios
00000000  6e 61 6d 65 64 20 c3 a2  e2 82 ac c5 93 73 77 69  |named .......swi|
00000010  74 63 68 2d 63 70 75 c3  a2 e2 82 ac ef bf bd 20  |tch-cpu........ |
00000020  69 6e 20 73 63 65 6e 61  72 69 6f 73              |in scenarios    |
0000002d

I guess the others are very similar.
Tested the same on Linux and Windows.

melectronics · Fri May 30, 2025 4:51 pm

Also, anyone upgrading and using BGP, keep in mind that in my test router all BGP peers could not connect after upgrading because the new bgp instance feature did not contain my local AS number. Once I manually set it on the instance, then they could connect.

I have a problem similar to this one here. I configured the instance with my ASN and set the instance on the connections but not all come up that have worked before the upgrade. Is there a soloution / fix already now?

UPDATE: I found out that the issue is the combination of VXLAN and eBGP or maybe also BGP in general. (And no! Not with a VXLAN of EVPN! With another normal VXLAN on the router)

Kentzo · Fri May 30, 2025 5:05 pm

It does not make sense to scan a complete structure just to know if a single file or directory (with given path and name!) exists...

How about `/file/get <path> value-name=name` and then check for errors (afk and cannot verify)?

Amm0 · Fri May 30, 2025 5:09 pm

@Amm0, please get in touch with us and send supout.rif file.

Filed as SUP-189565

loloski · Fri May 30, 2025 5:47 pm

There is no openflow in the list of topics in system logging :)

syadnom · Fri May 30, 2025 7:32 pm

I want to throw in a comment/vote for some more CGNAT goodness.

It would be really great for a more complete CGNAT interface that could be configured to do dynamic things like 'ports per host = 1000' and a mappings table to show that (sort of presented like DHCP leases). Robust logging for new mappings and for removed mappings (helps with compliance with DMCA requests etc) as well as occurances of port overloads etc.

The current pseudoCGNAT model of 2 nat entries per host is cumbersome and doesn't scale well.

MatiasMK88 · Fri May 30, 2025 9:25 pm

Hi, just to share a new video shared by engineer Wilmer Almazan / The Network Trip about EVPN-VXLAN.
https://www.youtube.com/watch?v=dpukLeiRlV0

I think it's a good time to support his content and encourage him to do more labs of this comprehensive style.

MatiasMK88 · Fri May 30, 2025 9:27 pm

I want to throw in a comment/vote for some more CGNAT goodness.

It would be really great for a more complete CGNAT interface that could be configured to do dynamic things like 'ports per host = 1000' and a mappings table to show that (sort of presented like DHCP leases). Robust logging for new mappings and for removed mappings (helps with compliance with DMCA requests etc) as well as occurances of port overloads etc.

The current pseudoCGNAT model of 2 nat entries per host is cumbersome and doesn't scale well.

I support that CGNAT request.

I wish this forum covered more ISP topics and less the typical VPN or Wi-Fi.

MikroTik ISPs need CGNAT scale on MikroTik.

toxicfusion · Fri May 30, 2025 9:49 pm

I want to throw in a comment/vote for some more CGNAT goodness.

It would be really great for a more complete CGNAT interface that could be configured to do dynamic things like 'ports per host = 1000' and a mappings table to show that (sort of presented like DHCP leases). Robust logging for new mappings and for removed mappings (helps with compliance with DMCA requests etc) as well as occurances of port overloads etc.

The current pseudoCGNAT model of 2 nat entries per host is cumbersome and doesn't scale well.
I support that CGNAT request.

I wish this forum covered more ISP topics and less the typical VPN or Wi-Fi.

MikroTik ISPs need CGNAT scale on MikroTik.

Concur with this.... I think its the identity crisis that MikroTik faces. They cant focus on just one thing, cant be both prosumer and enterprise at the same time.... not without real proper segmentation. Or, we can cross our toes they'll deliver well rounded RouterOS for all aspects all niche they wish to cover.

melectronics · Fri May 30, 2025 10:02 pm

I support that CGNAT request.

I wish this forum covered more ISP topics and less the typical VPN or Wi-Fi.

MikroTik ISPs need CGNAT scale on MikroTik.
Concur with this.... I think its the identity crisis that MikroTik faces. They cant focus on just one thing, cant be both prosumer and enterprise at the same time.... not without real proper segmentation. Or, we can cross our toes they'll deliver well rounded RouterOS for all aspects all niche they wish to cover.

But not think about an only-paid version of ROS please!

MatiasMK88 · Fri May 30, 2025 10:19 pm

Concur with this.... I think its the identity crisis that MikroTik faces. They cant focus on just one thing, cant be both prosumer and enterprise at the same time.... not without real proper segmentation. Or, we can cross our toes they'll deliver well rounded RouterOS for all aspects all niche they wish to cover.
But not think about an only-paid version of ROS please!

That would be great as long as it's functional. Many of us pay, imagine many of us spending $15,000 for a full CGNAT box. Surely someone will come up with something like IPv6, which is great, and we all have to implement it. But not everything is IPv6; much is still IPv4. So we need a full CGNAT on MikroTik.

Full CGNAT support on MikroTik

MatiasMK88 · Fri May 30, 2025 10:21 pm

Concur with this.... I think its the identity crisis that MikroTik faces. They cant focus on just one thing, cant be both prosumer and enterprise at the same time.... not without real proper segmentation. Or, we can cross our toes they'll deliver well rounded RouterOS for all aspects all niche they wish to cover.
But not think about an only-paid version of ROS please!

MikroTik has been dormant for many years, and today they're desperate. But they need to focus on the business. Sorry, MikroTik, this isn't a criticism; we'd just really like to see you be great. And in many cases, stop messing around with things that many ISPs don't even know how they work for.

An old saying goes, you can't sing and dance at the same time.

melectronics · Fri May 30, 2025 10:59 pm

And in many cases, stop messing around with things that many ISPs don't even know how they work for.

There I'm with you :)

MikroTik has been dormant for many years, and today they're desperate. But they need to focus on the business.

I don´t found another vendor until now who sells hardware for both: Advanced home users and professionals. I love that way from MikroTik!
(I'm unsure whether you think they should stop that selling model?)

eworm · Sat May 31, 2025 12:37 am

Oh, found more breakage...

[eworm@carpo] > /file/read file=filename
not enough permissions (9)

No matter what I try.

What's the deal there?

nzlme · Sat May 31, 2025 3:48 am

Re: *) sfp - improved initialization and linking for sfp28 on CRS518;

I am having initialization issues with 25G QSFP28 fs.com optics on CRS518-16XS-2XQ r2.

The optic DDM / EPROM readout looks fine until it starts receiving light, then it stabilizes, looks like its trying to link up, and then back to initialization.

I have this issue on 7.18.2 and tried installing 7.20beta2, same issue, I have multiple of these 10KM optics in a CRS518 https://www.fs.com/au/products/151887.html 10/25GBASE-D SFP28 BiDi 1330nm-TX/1270nm-RX 10km DOM Simplex LC/UPC SMF Transceiver Module (Industrial), and have also tried with the 20KM variant, same issue on with the 20KM.

They all look fine when not receiving light, but go into an initialization loop as soon as they receive light and try to link up.

melectronics · Sat May 31, 2025 9:01 am

The LDP / MPLS for IPv6 is still broken since v7.17. It is very bad when you want to run L3VPN (VPNv6) :(
I confirmed that it works on v7.16.2 so it must be something in v7.17.(x)

syadnom · Sat May 31, 2025 7:56 pm

I haven't tested, but IPv6 native is where we're headed. mikrotik needs to sort out IPv6 support in a number of areas. For me, vxlan/vtep on IPv6 hardware accellerated is a fixed requirement.

wlfz · Sun Jun 01, 2025 9:15 am

@mrz
@normis
@strods
@EdPa
@sch

*) ipv6 - make pref-src work and settable for static routes;

I am pleased that Mikrotik has added pref-src on IPv6 routing. But after testing, this feature is not completely effective. Please refer to the configuration information below. For ease of viewing, I have streamlined the relevant information:

The IPv6 addresses of source router:

[admin@SourceRouter] /ipv6/address> print
Flags: I - INVALID; D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #     ADDRESS     FROM-POOL    INTERFACE       ADVERTISE
 0   G 240e::1/64  ether1-pool  ether1-bridge1  yes      
 1   G 240e::2/64  ether1-pool  ether1-bridge2  yes      
 2   G 240e::3/64  ether1-pool  ether1-bridge3  yes      
 3   G 240e::4/64  ether1-pool  ether1-bridge4  yes      
 4   G 240e::5/64  ether1-pool  ether1-bridge5  yes      
 5   G 240e::6/64  ether1-pool  ether1-bridge6  yes

The IPv6 addresses of destination router:

[admin@DestinationRouter] /ipv6/address> print
Flags: I - INVALID; D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #     ADDRESS     FROM-POOL    INTERFACE       ADVERTISE
 0   G 2409::a/64  ether1-pool  ether1-bridge1  yes      
 1   G 2409::b/64  ether1-pool  ether1-bridge2  yes      
 2   G 2409::c/64  ether1-pool  ether1-bridge3  yes      
 3   G 2409::d/64  ether1-pool  ether1-bridge4  yes      
 4   G 2409::e/64  ether1-pool  ether1-bridge5  yes      
 5   G 2409::f/64  ether1-pool  ether1-bridge6  yes

IPv6 routing configuration on the source route (including pref-src settings):

[admin@SourceRouter] /ipv6/route> print detail 
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, g - slaac, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 

   DAd   dst-address=::/0 routing-table=main gateway=fe80::de2c:6eff:fe41:c786%ether1
 0  As   dst-address=2409::a/128 routing-table=main pref-src=240e::1 gateway=fe80::de2c:6eff:fe41:c786%ether1
 1  As   dst-address=2409::b/128 routing-table=main pref-src=240e::2 gateway=fe80::de2c:6eff:fe41:c786%ether1
 2  As   dst-address=2409::c/128 routing-table=main pref-src=240e::3 gateway=fe80::de2c:6eff:fe41:c786%ether1
 3  As   dst-address=2409::d/128 routing-table=main pref-src=240e::4 gateway=fe80::de2c:6eff:fe41:c786%ether1
 4  As   dst-address=2409::e/128 routing-table=main pref-src=240e::5 gateway=fe80::de2c:6eff:fe41:c786%ether1
 5  As   dst-address=2409::f/128 routing-table=main pref-src=240e::6 gateway=fe80::de2c:6eff:fe41:c786%ether1

Ping from source router to the IPv6 addresses of the destination router，and view their icmpv6 connection information separately：

The ICMPv6 connection of source router:

[admin@SourceRouter] /ipv6/firewall/connection> print where protocol=icmpv6
Flags: S - SEEN-REPLY; C - CONFIRMED
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
#    PROTOCOL  SRC-ADDRESS   DST-ADDRESS   TIMEOUT  ORIG-RATE  REPL-RATE  ORIG-PACKETS  REPL-PACKETS  ORIG-BYTES  REPL-BYTES
0 SC icmpv6    240e::2       2409::f       29s      896bps     0bps                143           111       8 008       6 216
1 SC icmpv6    240e::2       2409::d       29s      896bps     448bps              136           107       7 616       5 992
2 SC icmpv6    240e::2       2409::a       29s      896bps     896bps              130           130       7 280       7 280
3 SC icmpv6    240e::2       2409::c       29s      896bps     896bps              124           124       6 944       6 944
4 SC icmpv6    240e::2       2409::e       29s      896bps     896bps              118           118       6 608       6 608
5 SC icmpv6    240e::2       2409::b       29s      896bps     896bps              111           111       6 216       6 216

The ICMPv6 connection of destination router:

[admin@DestinationRouter] /ipv6/firewall/connection> print where protocol=icmpv6
Flags: S - SEEN-REPLY; C - CONFIRMED
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TIMEOUT
#    PROTOCOL  SRC-ADDRESS  DST-ADDRESS  TIMEOUT
0 SC icmpv6    240e::2      2409::f      29s    
1 SC icmpv6    240e::2      2409::d      29s    
2 SC icmpv6    240e::2      2409::a      29s    
3 SC icmpv6    240e::2      2409::c      29s    
4 SC icmpv6    240e::2      2409::e      29s    
5 SC icmpv6    240e::2      2409::b      29s

It can be seen that although the pref-src parameter is explicitly specified in the routing rules, the same source address is still used. The choice of source address depends on which routing rule is first created or enabled. This issue also exists in VRF.

loloski · Mon Jun 02, 2025 5:59 am

I found a bug, when you do have multiple vxlan and VNI only one vtep has been dynamically created, only the last entry on the /interface/vxlan menu. creating a manual vtep is the workaround for the setup to work upon next reboot

You can trigger the creation of dynamic VTEP for all VNI by using this /interface/vxlan/set dont-fragment=disable [index] to make this work but it won't survived upon next reboot therefore creating a manual VTEP is necessary

Disclaimer: this happen on GNS3 i haven't tried this yet on a real hardware

https://help.mikrotik.com/servicedesk/s ... SUP-189706
viewtopic.php?p=1146015#p1146015

teslasystems · Mon Jun 02, 2025 6:01 am

*) console - replace TAB characters with spaces when editing scripts and added tab-width user configuration in /console/settings;
"added tab-width user configuration in /console/settings"
While this part is very nice for display purposes,

"replace TAB characters with spaces when editing scripts"
this part is a very bad change. I've lost all tabs in my scripts and when I need to edit them in some external editor, I need to restore them each time. Absolutely unacceptable.

Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console.

Doesn't it bother anyone who work with scripts?

oreggin · Mon Jun 02, 2025 9:24 am

"added tab-width user configuration in /console/settings"
While this part is very nice for display purposes,

"replace TAB characters with spaces when editing scripts"
this part is a very bad change. I've lost all tabs in my scripts and when I need to edit them in some external editor, I need to restore them each time. Absolutely unacceptable.

Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console.
Doesn't it bother anyone who work with scripts?

Hmmm, I didn't notice this line, but why did they change this? From now on my scripts won't work if matching \t characters in exported configurations?

Dude2048 · Mon Jun 02, 2025 9:42 am

I found a bug, when you do have multiple vxlan and VNI only one vtep has been dynamically created, only the last entry on the /interface/vxlan menu. creating a manual vtep is the workaround for the setup to work upon next reboot

You can trigger the creation of dynamic VTEP for all VNI by using this /interface/vxlan/set dont-fragment=disable [index] to make this work but it won't survived upon next reboot therefore creating a manual VTEP is necessary

Disclaimer: this happen on GNS3 i haven't tried this yet on a real hardware

https://help.mikrotik.com/servicedesk/s ... SUP-189706
viewtopic.php?p=1146015#p1146015

The first option of creating Vteps works, but it should be dynamic.
The second option doesn't work. Setting the don't fragment brings no changes.

Thnx for filing a bug report.

loloski · Mon Jun 02, 2025 10:01 am

yes this should be dynamic because in the docs it wasn't mentioned that you have to create this VTEP by hand it means part of creating VXLAN this should be taking care of :) unfortunately not hence the bug.

try to set it to disabled or auto i'm prettry sure it will create the dynamic VTEP

mrz · Mon Jun 02, 2025 11:48 am

Instance was needed to link evpns, and also it will now allow to add other features that required per instance configuration.
Could you take a look mrz, some people including me having problem after upgrading to v 7.20b.
I did not have any evpn setup just simple bgp and some of peers having problem with instance

Thx

config upgrade to instances is quite complex. As I stated in this topic earlier, we need to know what was configured before the upgrade.

oreggin · Mon Jun 02, 2025 12:31 pm

Also, anyone upgrading and using BGP, keep in mind that in my test router all BGP peers could not connect after upgrading because the new bgp instance feature did not contain my local AS number. Once I manually set it on the instance, then they could connect.
send a supout file from v7.19 to support. To see what bgp config exactly you had.

If you haven't specify AS number in bgp/template, only use local.as in bgp/connection then connections lost local.as attribute and break BGP connectivity. If you migrate local.as to bgp/template and connections referring that template then upgrade may be success as instance derived from template. Upgraded CHR from 7.19.1 to 7.20beta2, bgp config before upgrade:

/routing bgp template
set default disabled=no router-id=10.0.10.15
/routing bgp connection
add afi=ip,l2vpn,l2vpn-cisco,vpnv4 connect=yes listen=no local.address=10.0.10.15 .role=ibgp name=peer1 output.redistribute=connected remote.address=10.0.10.11 .as=65530 templates=default
add afi=ipv6,vpnv6 connect=yes listen=no local.address=b00b::10:0:10:15 .role=ibgp name=peer6 output.redistribute=connected remote.address=b00b::10:0:10:11 .as=65530 templates=default
/routing bgp vpls
add bridge=VPLS_A bridge-horizon=3 cisco-id=10.0.10.15&65530:3 disabled=no export-route-targets=65530:3 import-route-targets=65530:3 name=VPLS_A pw-type=vpls rd=65530:3
add bridge=VPLS_B bridge-horizon=4 disabled=no export-route-targets=65530:4 import-route-targets=65530:4 name=VPLS_B pw-type=vpls rd=65530:4 site-id=15
/routing bgp vpn
add disabled=no export.redistribute=connected .route-targets=65530:1 import.route-targets=65530:1 label-allocation-policy=per-vrf name=bgp-mpls-vpn-1 route-distinguisher=65530:1 vrf=VRF_A
add disabled=no export.redistribute=connected .route-targets=65530:2 import.route-targets=65530:2 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 route-distinguisher=65530:2 vrf=\
    VRF_B

BGP config after upgrade:

[admin@rtr5.CPE] > routing/bgp/export 
# 2025-06-02 11:27:42 by RouterOS 7.20beta2
# system id = F2Gon3waNvD
#
/routing bgp instance
add as=65530 name=bgp-instance-1 vrf=main
/routing bgp template
set default disabled=no
/routing bgp connection
add afi=ip,l2vpn,l2vpn-cisco,vpnv4 connect=yes instance=bgp-instance-1 listen=no local.address=10.0.10.15 .role=ibgp name=peer1 output.redistribute=connected remote.address=10.0.10.11 \
    .as=65530 templates=default
add afi=ipv6,vpnv6 connect=yes instance=bgp-instance-1 listen=no local.address=b00b::10:0:10:15 .role=ibgp name=peer6 output.redistribute=connected remote.address=b00b::10:0:10:11 .as=\
    65530 templates=default
/routing bgp vpls
add bridge=VPLS_A bridge-horizon=3 cisco-id=10.0.10.15&65530:3 disabled=no export-route-targets=65530:3 import-route-targets=65530:3 name=VPLS_A pw-type=vpls rd=65530:3
add bridge=VPLS_B bridge-horizon=4 disabled=no export-route-targets=65530:4 import-route-targets=65530:4 name=VPLS_B pw-type=vpls rd=65530:4 site-id=15
/routing bgp vpn
add disabled=no export.redistribute=connected .route-targets=65530:1 import.route-targets=65530:1 instance=bgp-instance-1 label-allocation-policy=per-vrf name=bgp-mpls-vpn-1 \
    route-distinguisher=65530:1 vrf=VRF_A
add disabled=no export.redistribute=connected .route-targets=65530:2 import.route-targets=65530:2 instance=bgp-instance-1 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 \
    route-distinguisher=65530:2 vrf=VRF_B
[admin@rtr5.CPE] > routing/bgp/instance/set 0 router-id=10.0.10.15
[admin@rtr5.CPE] > routing/bgp/export                             
# 2025-06-02 11:28:22 by RouterOS 7.20beta2
# system id = F2Gon3waNvD
#
/routing bgp instance
add as=65530 name=bgp-instance-1 router-id=10.0.10.15 vrf=main
/routing bgp template
set default disabled=no
/routing bgp connection
add afi=ip,l2vpn,l2vpn-cisco,vpnv4 connect=yes instance=bgp-instance-1 listen=no local.address=10.0.10.15 .role=ibgp name=peer1 output.redistribute=connected remote.address=10.0.10.11 \
    .as=65530 templates=default
add afi=ipv6,vpnv6 connect=yes instance=bgp-instance-1 listen=no local.address=b00b::10:0:10:15 .role=ibgp name=peer6 output.redistribute=connected remote.address=b00b::10:0:10:11 .as=\
    65530 templates=default
/routing bgp vpls
add bridge=VPLS_A bridge-horizon=3 cisco-id=10.0.10.15&65530:3 disabled=no export-route-targets=65530:3 import-route-targets=65530:3 name=VPLS_A pw-type=vpls rd=65530:3
add bridge=VPLS_B bridge-horizon=4 disabled=no export-route-targets=65530:4 import-route-targets=65530:4 name=VPLS_B pw-type=vpls rd=65530:4 site-id=15
/routing bgp vpn
add disabled=no export.redistribute=connected .route-targets=65530:1 import.route-targets=65530:1 instance=bgp-instance-1 label-allocation-policy=per-vrf name=bgp-mpls-vpn-1 \
    route-distinguisher=65530:1 vrf=VRF_A
add disabled=no export.redistribute=connected .route-targets=65530:2 import.route-targets=65530:2 instance=bgp-instance-1 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 \
    route-distinguisher=65530:2 vrf=VRF_B
[admin@rtr5.CPE] >

As you see router-id didn't migrated from template to instance so I had must fix it by hand.

oreggin · Mon Jun 02, 2025 1:29 pm

The LDP / MPLS for IPv6 is still broken since v7.17. It is very bad when you want to run L3VPN (VPNv6) :(
I confirmed that it works on v7.16.2 so it must be something in v7.17.(x)

Hmmm, indeed now neither label-alloc-policy config works for VPNv6 in 7.19/7.20 :-(
All of the IPv6 LDP remote mappings are invalid:

[admin@rtr1.CPE] > /mpls/ldp/remote-mapping/print where dst-address~":"
Flags: I - INACTIVE; D - DYNAMIC
Columns: VRF, DST-ADDRESS, LABEL, PEER
 #    VRF   DST-ADDRESS       LABEL      PEER       
18 ID main  b00b::10:0:10:11  41         10.0.10.1:0
19 ID main  ::1               impl-null  10.0.10.1:0
20 ID main  b00b::10:0:10:1   impl-null  10.0.10.1:0
21 ID main  b00b::10:0:10:2   36         10.0.10.1:0
22 ID main  b00b::10:0:10:3   37         10.0.10.1:0
23 ID main  b00b::10:0:10:4   38         10.0.10.1:0
24 ID main  b00b::10:0:10:5   39         10.0.10.1:0
25 ID main  b00b::10:0:10:6   40         10.0.10.1:0
26 ID main  b00b::10:0:10:12  42         10.0.10.1:0
27 ID main  b00b::10:0:10:13  43         10.0.10.1:0
28 ID main  b00b::10:0:10:14  44         10.0.10.1:0
29 ID main  b00b::10:0:10:15  45         10.0.10.1:0
30 ID main  b00b::10:0:10:16  35         10.0.10.1:0

MPLS LDP config as simple as it could:

[admin@rtr1.CPE] > /mpls/ldp/export 
# 2025-06-02 12:20:45 by RouterOS 7.20beta2
# system id = oKK2tXYASwB
#
/mpls ldp
add afi=ip,ipv6 disabled=no lsr-id=10.0.10.11 preferred-afi=ipv6 transport-addresses=10.0.10.11,b00b::10:0:10:11
/mpls ldp interface
add accept-dynamic-neighbors=yes afi=ip,ipv6 disabled=no interface=ether2

Missing nexthops in /mpls/ldp/remote-mapping/print so all of them are invalids, so there is no label for them in /mpls/forwarding-table/print also. What did we configured improperly?

teslasystems · Mon Jun 02, 2025 3:39 pm

Hmmm, I didn't notice this line, but why did they change this? From now on my scripts won't work if matching \t characters in exported configurations?

May be they were trying to make tab width adjustable, but made total mess of it instead.
Not sure about exports, but this causes problems, if you need to copy a script into external editor, modify it and copy it back. In such case, all tabs, that you use as indents for readability, will be lost.

Amm0 · Mon Jun 02, 2025 4:16 pm

"replace TAB characters with spaces when editing scripts"
[...]
Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console.
Doesn't it bother anyone who work with scripts?

I'm not sure why MikroTik decided to weigh in on the decades long "spaces-vs-tabs debate". I generally do use spaces & rarely edit script using CLI "edit" or WinBox, so not per se an issue for me. But there were less controversial things to fix in this area. WinBox's proportional fonts and lack of syntax checking(/colors) for scripts seems like bigger usability issues than spaces and tab-stops.

Kentzo · Mon Jun 02, 2025 7:43 pm

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects…

hknet · Mon Jun 02, 2025 8:33 pm

Well ROS v7.20beta2 seems to kill ipsec-vpns to many endpoints (here all fortigate-tunnels are down after the upgrade);
switching back to v7.19.2 - ipsec goes up again...

Amm0 · Mon Jun 02, 2025 10:17 pm

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects…

All roads to an LSP involve some form of schema (whether BNF, OpenAPI, etc), which is lacking. I thought before "/console/inspect request=completion" could be used as part of an LSP, but then the LSP always would need a connection to a router (which is not how LSP typically work, adding more difficulty to OSS LSP).

The WinBox script edit dialog is just horrible – I cannot imagine anyone use it for anything beyond a few lines. But perhaps the positive view of new "tab size" control is at least a [tiny] step to improving script/config editing.

Kentzo · Mon Jun 02, 2025 10:46 pm

All roads to an LSP involve some form of schema (whether BNF, OpenAPI, etc), which is lacking. I thought before "/console/inspect request=completion" could be used as part of an LSP, but then the LSP always would need a connection to a router (which is not how LSP typically work, adding more difficulty to OSS LSP).

The language is not terribly complex though and having RouterOS running in a VM / container is not that big of a problem for a niche product. It's even better user experience if you check your script against the router (version and packages).

I didn't know about "/console/inspect request=completion". For a while I harbored an idea to write a script that would brute force all available combinations of menus and properties to generate a static syntax definition. It won't be as good as an LSP implementation, but definitely an improvement of over my current https://packagecontrol.io/packages/MikrotikScript. Hit me at https://github.com/Kentzo/MikrotikScript if you have interest to help with that :)

nzlme · Tue Jun 03, 2025 12:38 am

Re: *) sfp - improved initialization and linking for sfp28 on CRS518;

I am having initialization issues with 25G QSFP28 fs.com optics on CRS518-16XS-2XQ r2.

The optic DDM / EPROM readout looks fine until it starts receiving light, then it stabilizes, looks like its trying to link up, and then back to initialization.

I have this issue on 7.18.2 and tried installing 7.20beta2, same issue, I have multiple of these 10KM optics in a CRS518 https://www.fs.com/au/products/151887.html 10/25GBASE-D SFP28 BiDi 1330nm-TX/1270nm-RX 10km DOM Simplex LC/UPC SMF Transceiver Module (Industrial), and have also tried with the 20KM variant, same issue on with the 20KM.

They all look fine when not receiving light, but go into an initialization loop as soon as they receive light and try to link up.

TIL there is such as thing as setting the FEC mode on these optics.

As per support I ran

interface/ethernet/set fec-mode=fec91 sfp28-5

and now I have link up!

Also a helpful read here > https://help.mikrotik.com/docs/spaces/R ... hernet-FEC and worth noting that what Mikrotik Calls FEC 91 other vendors call FEC CL108, though it is the same underlying standard just with two names. It seems in my case the Tik didn't like negotiating FEC with the Cisco Catalyst 9300 on the other end, and once the Tik was set to FEC 91 it linked up fine.

bajodel · Tue Jun 03, 2025 9:57 am

For labbing, the default CHR limit to 1Mb/s it's quite annoying, could it be raised to 10 Mb/s?
I think there would be no loss of money for MT.. no production/hobby/home use would accept it.
What do you think ?

millenium7 · Tue Jun 03, 2025 10:30 am

You can upgrade the CHR licence to 10gbit or unlimited. All you need is a mikrotik account
It will run as a trial for a certain period of time then it just..... keeps running....
Totally fine for lab use

asoroka · Tue Jun 03, 2025 10:48 am

*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;
thank you thank you thank you for this!

Now I just want hardware accellerated vxlan on ipv6 :)

I wonder how this can help? For example, for client authorization via option82, it is necessary that the data "lease-agent-circuit-id" and "lease-agent-remote-id" are parsed before the request goes to the radius server. Or this parsing should be implemented on the billing system side, but usually all free billings do not provide this. I really hope that one day MikroTik will add something like lua scripts as implemented in accell-ppp.

Babujnik · Tue Jun 03, 2025 11:23 am

*) container - added support for cpuset, cpu, memory, pids cgroups;

nice, now we can run containers with fully supported systemctl:

#   NAME      ROOT-DIR  INTERFACE  WORKDIR  MEMORY-CURRENT  TAG                                            
0 R ubi-init  ubi-init  veth1      /        128.0KiB        registry.access.redhat.com/ubi9/ubi-init:latest

it takes a moment for services to start once container is running but works fine:

[root@dev /]# systemctl status nginx
○ nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: inactive (dead)
[root@dev /]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: active (running) since Tue 2025-06-03 08:21:00 UTC; 14s ago
    Process: 31 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
    Process: 34 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
    Process: 35 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
   Main PID: 38 (nginx)
      Tasks: 2 (limit: 5484)
     Memory: 2.2M
        CPU: 16ms
     CGroup: /init/system.slice/nginx.service
             ├─38 "nginx: master process /usr/sbin/nginx"
             └─39 "nginx: worker process"

Jun 03 08:20:53 dev systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jun 03 08:20:58 dev nginx[34]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jun 03 08:20:58 dev nginx[34]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jun 03 08:21:00 dev systemd[1]: Started The nginx HTTP and reverse proxy server.

[root@dev /]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 08:19 ?        00:00:00 /sbin/init
root        10     0  0 08:20 pts/0    00:00:00 /bin/bash -i
root        24     1  0 08:20 ?        00:00:00 /usr/lib/systemd/systemd-journald
root        32     1  0 08:20 ?        00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root        38     1  0 08:20 ?        00:00:00 nginx: master process /usr/sbin/nginx
nginx       39    38  0 08:20 ?        00:00:00 nginx: worker process
root        43    10  0 08:22 pts/0    00:00:00 ps -ef

mh04 · Tue Jun 03, 2025 10:43 pm

*) switch - improved ingress-rate limit precision for 88E6393X, 88E6191X and 88E6190 switches;

Just tested with 7.20beta2 (RB5009)

[admin@RB5009] /interface/ethernet/switch/port> print
Flags: R - RUNNING
Columns: NAME, SWITCH, INGRESS-RATE, EGRESS-RATE
# NAME SWITCH INGRESS-RATE EGRESS-RATE
0 R ether1 switch1
1 R ether2 switch1 55.0Mbps 55.0Mbps

Result on test device connected to ether2 with 7.20beta2:
Download: 52 Mbit/s
Upload: 22 Mbit/s

Result on test device connected to ether2 with 7.19.1:
Download: 52 Mbit/s
Upload: 1.65 Mbit/s

It's better but still unusable. Unfortunately, egress/ingress shaping using a switch chip has never worked accurately with mikrotik devices, especially on CRS3xx devices it's a real shame that you can't use the shaping - we would really need it there.

bajodel · Wed Jun 04, 2025 7:18 am

You can upgrade the CHR licence to 10gbit or unlimited. All you need is a mikrotik account ..[cut]..

I know, but it's impractical IMHO to "free/demo tier" all nodes in a lab (might be 2 ..or 10), then you have another lab with more, then you need to reset the lab -> re-license all of them again..
Two months later, you might need to update the routeros in the lab.. and, again, the same problem.
You can do that one or twice, but it would be so much easier to have a decent limit at 10 Mb/s and forget the stuggle.

Please MT, consider updating the limit to 10Mb/s or give us a way to lab in a more convenient way.. thanx.

oreggin · Wed Jun 04, 2025 9:57 am

Please MT, consider updating the limit to 10Mb/s or give us a way to lab in a more convenient way.. thanx.

What function do you need higher demo limit for?

Wed Jun 04, 2025 10:08 am

You can get a trial CHR license without the limit. Say what you want but CHR has the most relaxed licensing system imaginable.

- You can get a free license with a speed limit and run it forever
- You can get a trial license for a whole whopping 60 days with no limitations at all
- The trial still works after 60 days, just upgrades stop working, but many of you don't upgrade anyway

What else could you wish for?

mrz · Wed Jun 04, 2025 10:10 am

And speed limit is adequate for feature testing purposes. In some parts of the world you have less speed for the whole city than you get with ROS free license speed limit.

bajodel · Wed Jun 04, 2025 2:10 pm

You're right, I totally agree that CHR has the most relaxed licensing system imaginable .. and BTW .. THANKS!

About "speed limit is adequate for feature testing purposes".. not really, when I need to test some load-balancing, or bonding, ..., it's difficult to get an immediate feed-back (I need to check on devices where the traffic is going because the control plane traffic and data one are mixing and in the same 'magnitude scale' (when you have 1 Mb/s limit, the traffic you inject for testing should be much less ..and sometimes it might be comparable to the cplane).

About flexibility: you can indeed put a trial license on (e.g.) 10 CHR device on a lab but, as soon as you create a copy of the project/topology for another scenario, you have to do that again. NOTE: often I need to reset the (virtual) device in a lab beacuse of some weird interface assignment (starting for example from ether4, ether5 .. which corrupts the config); in this case you (again) have to re-license them all.

I just asked if you think it's possible (/sensible) since I think NOBODY would accept a free-tier 10Mb/s limit IN any REAL scenario that is not a virtual lab.
If it's a bad idea or you think it's not viable, that's it .. I understand.

Thanks anyway for the feedback, very much appreciated. Have a nice day guys.

millenium7 · Wed Jun 04, 2025 2:23 pm

About flexibility: you can indeed put a trial license on (e.g.) 10 CHR device on a lab but, as soon as you create a copy of the project/topology for another scenario, you have to do that again. NOTE: often I need to reset the (virtual) device in a lab beacuse of some weird interface assignment (starting for example from ether4, ether5 .. which corrupts the config); in this case you (again) have to re-license them all.

Let's be real though, it's bugger all effort compared to what you are getting in return. If you think thats difficult, go and try get access to Huawei enterprise firmware or documentation for instance. It's an absolute bloody nightmare
It's a very small price to pay for the niche times you need more than the 1mbit limit. And if you are really truly that desperate, use the same lab and backup your configs. Wipe the node's and upload/restore the appropriate config

Nobody would be upset with a higher limit but its already insanely generous and entirely functional system

I just asked if you think it's possible (/sensible) since I think NOBODY would accept a free-tier 10Mb/s limit IN any REAL scenario that is not a virtual lab.
If it's a bad idea or you think it's not viable, that's it .. I understand.

Nobody does. We all license our production CHR instances. They're really very cheap, and if you really can't do that it's an incredibly small ask to simply add a trial licence and if you need to upgrade months down the track, backup your config, delete the instance, recreate it with the latest version, re-trial it and apply your config. It's all of about 5 minutes work

pe1chl · Wed Jun 04, 2025 2:30 pm

So get 10 licenses for 1 Gbit at $45 each (listprice, I see someone offering them for 35,70 euro which is less), and be done with it.
When your "project" cannot afford that, how much of a project is it really?

oreggin · Wed Jun 04, 2025 2:50 pm

when I need to test some load-balancing, or bonding, ..., it's difficult to get an immediate feed-back

For this kind of tests, you will need real HW based MTik devices. 1Mbps is enough for the most of CPlane tests. It is annoying if I want to upgrade my CHR LAB (12 devices) through the LAB network, with 1Mbps, it takes more then half hour, but I can live with this inconvenience.

millenium7 · Wed Jun 04, 2025 3:47 pm

when I need to test some load-balancing, or bonding, ..., it's difficult to get an immediate feed-back
It is annoying if I want to upgrade my CHR LAB (12 devices) through the LAB network, with 1Mbps, it takes more then half hour, but I can live with this inconvenience.

This is probably the only thing I find irksome with the 1mbit limit, takes too damn long to download the update. Especially when you have nodes in a daisy chain and they're all sharing a 1mbit pipe
Unlimited bandwidth to MikroTik package servers would be welcome. Still, I can live with it, its a lab

mkx · Wed Jun 04, 2025 5:42 pm

This is probably the only thing I find irksome with the 1mbit limit ....

If it irks you that much, then scratch yourself (with a $45 license). It's not fair to expect that MT will scratch you.

sirbryan · Wed Jun 04, 2025 5:57 pm

You can get a trial CHR license without the limit. Say what you want but CHR has the most relaxed licensing system imaginable.

- You can get a free license with a speed limit and run it forever
- You can get a trial license for a whole whopping 60 days with no limitations at all
- The trial still works after 60 days, just upgrades stop working, but many of you don't upgrade anyway

What else could you wish for?

I use Webfig almost exclusively (old habits die hard, I guess), and I agree that 1Mbps makes managing the machines feel a bit lethargic, especially with the new UI. Perhaps 10Mbps is too much, but something between 2 and 5Mbps might be a compromise, or maybe adding a healthy burst amount on the throttler would help.

I personally am happy with the licensing, but the current licensing process can get in the way of automation and lab development. (Unless I'm missing something...)

For labbing in a virtual environment, it's not uncommon for developers to spin up a slew of "freshly-baked" ephemeral VM's that are preconfigured for the test environment. A common case is a bunch of Linux, Windows, or Mac VM's that are spun up from a template with the bare minimum installed to support the developer's app. Once app testing is done, the VM's are shut down and often deleted.

If there was a way to preload licensing credentials or a lab license file, along with a base config, so that when you spin up a cluster of CHR VMs (like in GNS3) they're ready to go (without the 1Mbps limit), that would be great, especially for air-gapped lab testing (i.e. no Internet connection). Or give an air-gapped CHR VM a 24-hour window for unlimited bandwidth (similar to x86), then throttle to 1Mbps after the initial 24 hours. In that case, you're not flooding a user's MikroTik account with a bunch of CHR trial licenses for ephemeral VM's that will never come back.

I would love to hear how MikroTik's developers automate configuration and licensing of their VM's.

Amm0 · Wed Jun 04, 2025 6:26 pm

You can get a trial CHR license without the limit. Say what you want but CHR has the most relaxed licensing system imaginable.

- You can get a free license with a speed limit and run it forever
- You can get a trial license for a whole whopping 60 days with no limitations at all
- The trial still works after 60 days, just upgrades stop working, but many of you don't upgrade anyway
[...]
I personally am happy with the licensing, but the current licensing process can get in the way of automation and lab development. (Unless I'm missing something...)

I'm with Normis on this one - I don't think it's unfair. The fact that it works out-of-box without any login/credentials/keys/etc is already ahead of most other commercial products/sevices IMO. I'm still surprised that an expired trial does NOT revert to 1Mb/s, which seem rather generous, given re-creating VMs isn't hard.

And for automation, it's just one command that can be inserted into any :import script that will license the "trial" version... assuming you created an free www.mikrotik.com account:

/system/license/renew account=ammo password=XXXXXXXXXXXX level=p10

Now I suppose if you do a lot of automated testing, the www.mikrotik.com account might get "full" at some point with previous licensed, now deleted CHR VMs... But I don't know when MikroTik starts rejecting trial licenses, since never seen it, so...

What else could you wish for?

Being able to deleted "expired licenses" on www.mikrotik.com...

Amm0 · Wed Jun 04, 2025 6:59 pm

*) bth - added extra file-share functionality for use with apps;

I'm not sure what those changes are... But...

Is there some way to "force proxy mode" in using /ip/cloud/back-to-home-files?

The use case is that if I "share a file", I may not want to [indirectly via DNS] share my public IP address too.

And while firewall tricks with DDNS might be able to "fool" back-to-home-file - it also effect BTH VPN.
Basically I'd like to be able use "direct if possible" with VPN, but "force proxy" with the file sharing - and not sure that's possible by "fooling" /ip/cloud DDNS in firewall.

hknet · Wed Jun 04, 2025 8:09 pm

couldn't get BGP to work (7.20beta2) because the router-id was claimed to be invalid (found no solution - tried virtually anything I could find also in the template);
reverted back to 7.19.2

mrz · Wed Jun 04, 2025 8:17 pm

couldn't get BGP to work (7.20beta2) because the router-id was claimed to be invalid (found no solution - tried virtually anything I could find also in the template);
reverted back to 7.19.2

Like mentioned several times already send a supout file from v7.19 to support.

kristapsc · Wed Jun 04, 2025 9:52 pm

*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;
thank you thank you thank you for this!

Now I just want hardware accellerated vxlan on ipv6 :)
I wonder how this can help? For example, for client authorization via option82, it is necessary that the data "lease-agent-circuit-id" and "lease-agent-remote-id" are parsed before the request goes to the radius server. Or this parsing should be implemented on the billing system side, but usually all free billings do not provide this. I really hope that one day MikroTik will add something like lua scripts as implemented in accell-ppp.

These values are passed to radius server, although the DHCP-options-to-RADIUS-attributes mapping is neither well documented nor configurable

pants6000 · Wed Jun 04, 2025 11:23 pm

I know it's not the feature requests thread but +1 to the "more CGNAT features" thoughts above!

pe1chl · Thu Jun 05, 2025 12:04 am

*) dhcpv4-server - added "lease-agent-circuit-id" and "lease-agent-remote-id" variables to the lease script;
thank you thank you thank you for this!

Now I just want hardware accellerated vxlan on ipv6 :)
I wonder how this can help? For example, for client authorization via option82, it is necessary that the data "lease-agent-circuit-id" and "lease-agent-remote-id" are parsed before the request goes to the radius server. Or this parsing should be implemented on the billing system side, but usually all free billings do not provide this. I really hope that one day MikroTik will add something like lua scripts as implemented in accell-ppp.

Well, the "lease script" can do absolutely nothing for "client authorization", as it is called after a lease has already been acknowledged.
It is intended to provide a hook to handle new systems, e.g. to create a DNS record, to send an alert mail when new systems join the network, etc.
I have proposed before that a "pre-lease script" could be added that is called when the request comes in, and that can examine the request parameters and decide whether a lease should be granted, from what pool, etc. In that functionality, mapping of requests to RADIUS could also be done, e.g. by setting some magic variables (that RouterOS first sets to a default, and that the user can then modify when desired).

sinisa · Thu Jun 05, 2025 2:38 pm

I am starting to get (again, after a few versions):"could not save configuration changes, not enough storage space available." on hAP ac2 with wifi-qcom-ac and minimal AP/CAPsMAN/NAT router/DHCP server/wireguard config. Everything was fine until 7.19rc3 (this is my home device, always on latest testing-development channel).
I know, I can netinstall it and save a few bytes, but wouldn't it be easier for Mikrotik to finally split wifi-qcom-ac into two packages, as suggested many times before, and fix this problem once for all 16MB devices?

infabo · Thu Jun 05, 2025 3:09 pm

@sinisa you can show your support over here viewtopic.php?t=217142

federalbr · Thu Jun 05, 2025 4:35 pm

I am starting to get (again, after a few versions):"could not save configuration changes, not enough storage space available." on hAP ac2 with wifi-qcom-ac and minimal AP/CAPsMAN/NAT router/DHCP server/wireguard config. Everything was fine until 7.19rc3 (this is my home device, always on latest testing-development channel).
I know, I can netinstall it and save a few bytes, but wouldn't it be easier for Mikrotik to finally split wifi-qcom-ac into two packages, as suggested many times before, and fix this problem once for all 16MB devices?

I'm waiting for them to do this, I depend on this to install the wifi-qcom-ac package on my ac2

Amm0 · Thu Jun 05, 2025 5:01 pm

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects…

@Kentzo, I wrote up what I know about /console/inspect and LSPs in this thread:
viewtopic.php?t=217229

wispmikrotik · Thu Jun 05, 2025 6:23 pm

couldn't get BGP to work (7.20beta2) because the router-id was claimed to be invalid (found no solution - tried virtually anything I could find also in the template);
reverted back to 7.19.2
Like mentioned several times already send a supout file from v7.19 to support.

Sorry @mrz, but... can't you test it yourselves with all the resources and devices you have?

You're asking users to be beta testers. Can't you reproduce something as basic as this? It happens with several users. I don't think it's too difficult to reproduce the problem yourself.

infabo · Thu Jun 05, 2025 6:29 pm

I believe Mikrotik support engineers or developers are probably not allowed or able to investigate bugs independently and on their own initiative. It likely needs to go through the support helpdesk first, where it gets triaged and prioritized before being assigned accordingly. There is surely a defined workflow for this, and "cherry-picking issues from the forum release topic" is probably not part of the official process.

volga629 · Thu Jun 05, 2025 9:35 pm

Hooray !!! EVPN in place. Lab time.

Thank you Mikrotik Team.

volga629 · Thu Jun 05, 2025 9:45 pm

Like mentioned several times already send a supout file from v7.19 to support.
Sorry @mrz, but... can't you test it yourselves with all the resources and devices you have?

You're asking users to be beta testers. Can't you reproduce something as basic as this? It happens with several users. I don't think it's too difficult to reproduce the problem yourself.

Did you tried do not specify any routers id in bgp ?

sirbryan · Thu Jun 05, 2025 10:17 pm

Like mentioned several times already send a supout file from v7.19 to support.
Sorry @mrz, but... can't you test it yourselves with all the resources and devices you have?

You're asking users to be beta testers. Can't you reproduce something as basic as this? It happens with several users. I don't think it's too difficult to reproduce the problem yourself.

You do realize this is a beta release, and the first publicly available beta of this version at that. By loading it onto your router, you are volunteering to be a beta tester. They can't imagine up your configuration and outcome without seeing specifically what the router is doing.

Sending them a support file from 7.19 doesn't even require you to keep running the beta. It takes all of a couple of minutes to grab the file, open a ticket, upload the file, and voila--done.

Thu Jun 05, 2025 11:10 pm

couldn't get BGP to work (7.20beta2) because the router-id was claimed to be invalid (found no solution - tried virtually anything I could find also in the template);
reverted back to 7.19.2

For BGP instance put the ASN id into configuration .. simple, easy, fast solution.

fischerdouglas · Thu Jun 05, 2025 11:58 pm

Well, the "lease script" can do absolutely nothing for "client authorization", as it is called after a lease has already been acknowledged.
It is intended to provide a hook to handle new systems, e.g. to create a DNS record, to send an alert mail when new systems join the network, etc.
I have proposed before that a "pre-lease script" could be added that is called when the request comes in, and that can examine the request parameters and decide whether a lease should be granted, from what pool, etc. In that functionality, mapping of requests to RADIUS could also be done, e.g. by setting some magic variables (that RouterOS first sets to a default, and that the user can then modify when desired).

Rewrite Radius-Request username with Circuit-ID DHCP-Option82 or PPPoE+

Suggestion: Hooks to Scripts on /routing/filter/rule actions

guipoletto · Fri Jun 06, 2025 1:16 am

Rewrite Radius-Request username with Circuit-ID DHCP-Option82 or PPPoE+
Suggestion: Hooks to Scripts on /routing/filter/rule actions

A further enhancement needed to make either option82 or PPPoE+ actually usefull, is the ability to compose the injected option82(circuit AND-OR remote-id) tag using local variables
(inbound-port, inbound-mac, inbound-vlan, node-id, etc...)

as implemented today, snooping happens on all-interfaces, all-vlans, at the same time, and simply rewrites the option82 header with the inbound interface "internal interface name"

this is not really useful in a practical scenario (imagine a 2-tiered Gpen network with 14 Netpower-16 connected to a CRS317, then upstream to a router)
if one enables snooping in the Netpower "tier", inbound requests get tagged with the local interface name "ether1-16", and you end up with 16 clients with the same CID
if one enables snooping in the CRS317, you end up with all customers in a given Netpower having the same CID, as tagged by the CRS317: "sfp-sfpplus1-14"

millenium7 · Fri Jun 06, 2025 1:39 am

Rewrite Radius-Request username with Circuit-ID DHCP-Option82 or PPPoE+

This should be an option but shouldn't be the 'only' option if they are going to improve leases
Splynx (Which uses FreeRADIUS for its backend) can already authenticate directly with circuit/remote ID and simply ignore the username/MAC address
I'd like to see the same thing directly on RouterOS as well as User Manager

It's not a big deal running Splynx for authentication on a major network for direct customers. For the tenants of the customer (i.e. internal network) I want to localize the authentication to their MikroTik router itself for i.e. holiday parks, hotels/motels, multi tenancy businesses. Not having to involve any third party software

Cha0s · Fri Jun 06, 2025 2:26 am

couldn't get BGP to work (7.20beta2) because the router-id was claimed to be invalid (found no solution - tried virtually anything I could find also in the template);
reverted back to 7.19.2
For BGP instance put the ASN id into configuration .. simple, easy, fast solution.

The real question is, what exactly is the correct configuration to have prior to upgrading to v7.20, so that after upgrading, BGP works out of the box?

There are routers that won't be accessible remotely to correct the ASN and/or router-id after the fact, so MikroTik should publish a valid/tested upgrade path (covering at least a few common setups) so we don't have to travel to remote datacenters and mountains to do the upgrade.

loloski · Fri Jun 06, 2025 2:57 am

Do you guys don't have OOB management so that you can re-establish control with the device and fix this? I'm not saying MT is not at fault here actually you are right they should a a test coverage for this basic things :), what i'm trying to emphasize is for a worst case scenario you have back backdoor to manage the device, just my 0.002$ don't get me wrong :)

millenium7 · Fri Jun 06, 2025 3:39 am

There are routers that won't be accessible remotely to correct the ASN and/or router-id after the fact, so MikroTik should publish a valid/tested upgrade path (covering at least a few common setups) so we don't have to travel to remote datacenters and mountains to do the upgrade.

And this is precisely why its a Beta firmware. Specifically so it can be used for testing, finding problems, determining fixes and then implemented before the production release :)

A lot of people on this forum do tend to forget that. Then again, v7 itself is largely still a beta with a lot of outstanding problems.... Would help tremendously if MikroTik did release a bug tracker, as has been mentioned many times before

millenium7 · Fri Jun 06, 2025 3:48 am

I asked before but got no response. In its current state does EVPN work with Traffic Engineering paths? or another way to ask it, dis EVPN MPLS supported or only EVPN VXLAN?
If not - @MikroTik is it planned to be supported? Or even better is Segment Routing on the roadmap?

loloski · Fri Jun 06, 2025 3:52 am

@millenium7 it wasn't clear there's no roadmap or anything I hope mac-vrf and anycast gateway should also included just like @fischerdouglas wanted, let just hope and trust them to do the right thing :)

loloski · Fri Jun 06, 2025 3:58 am

The idea of viewable bug tracker most likely don't sit well with MT :)

mrz · Fri Jun 06, 2025 8:11 am

I asked before but got no response. In its current state does EVPN work with Traffic Engineering paths? or another way to ask it, dis EVPN MPLS supported or only EVPN VXLAN?
If not - @MikroTik is it planned to be supported? Or even better is Segment Routing on the roadmap?

Currently only EVPN VXLAN is supported.

oreggin · Fri Jun 06, 2025 10:07 am

For BGP instance put the ASN id into configuration .. simple, easy, fast solution.
The real question is, what exactly is the correct configuration to have prior to upgrading to v7.20, so that after upgrading, BGP works out of the box?
There are routers that won't be accessible remotely to correct the ASN and/or router-id after the fact, so MikroTik should publish a valid/tested upgrade path (covering at least a few common setups) so we don't have to travel to remote datacenters and mountains to do the upgrade.

viewtopic.php?t=217089#p1146042

ASN copied from template, router-id didn't, for me. Maybe MT fix router-id migration.

melectronics · Fri Jun 06, 2025 10:08 am

@mrz And breaks (e)BGP with VXLAN. With GRE it still works.

rextended · Fri Jun 06, 2025 10:56 am

There are routers that won't be accessible remotely to correct the ASN and/or router-id after the fact, so MikroTik should publish a valid/tested upgrade path (covering at least a few common setups) so we don't have to travel to remote datacenters and mountains to do the upgrade.

In general, but why do you update them?
if they work, they are very far away, and they block your service if something (anything) goes wrong during the update,
you really have to be hallucinating to do it.

Aside from the nonsense of putting beta versions into production and then complaining that they don't work,
everything must be tested first in the lab,
THEN, when there is SCHEDULED maintenance (because there is, right?) as it should always be done,
one can take advantage of it to replace the device with an updated one and, if it doesn't work, one can put the previous one back without problems.

Fri Jun 06, 2025 12:06 pm

Hit and sunk ... no more to say.

Fri Jun 06, 2025 1:27 pm

I asked before but got no response. In its current state does EVPN work with Traffic Engineering paths? or another way to ask it, dis EVPN MPLS supported or only EVPN VXLAN?
If not - @MikroTik is it planned to be supported? Or even better is Segment Routing on the roadmap?
Currently only EVPN VXLAN is supported.

I'm praying that eVPN in RouterOS supports MPLS in the near future

nichky · Fri Jun 06, 2025 1:45 pm

if that happens then probably we will not need vxlan.

we will probably get AFI:EVPN - god knows

oreggin · Fri Jun 06, 2025 2:15 pm

Currently only EVPN VXLAN is supported.
I'm praying that eVPN in RouterOS supports MPLS in the near future

Switch chips used in CRS/CCR has VXLAN support, so I think it is easy to implement EVPN-VXLAN fabric for DCs in RouterOS. MPLS is a total different strory, it is not a DC feature. If MT would pushing the MPLS lines, then we would have SR now.
You can hope for EVPN-SR/MPLS, but EVPN-VXLAN DC fabric is a nice feature for, whom likes nice loopfree L2 network without STP.

Cha0s · Fri Jun 06, 2025 2:45 pm

There are routers that won't be accessible remotely to correct the ASN and/or router-id after the fact, so MikroTik should publish a valid/tested upgrade path (covering at least a few common setups) so we don't have to travel to remote datacenters and mountains to do the upgrade.
In general, but why do you update them?
if they work, they are very far away, and they block your service if something (anything) goes wrong during the update,
you really have to be hallucinating to do it.

Aside from the nonsense of putting beta versions into production and then complaining that they don't work,
everything must be tested first in the lab,
THEN, when there is SCHEDULED maintenance (because there is, right?) as it should always be done,
one can take advantage of it to replace the device with an updated one and, if it doesn't work, one can put the previous one back without problems.

WTF people. Move on. Did I say ANYWHERE that I put a beta version on production?
Stop this nonsense. My post was very clear. There MUST be a clear upgrade path so that we don't get locked out because of poor BGP instance implementation/upgrade logic.

Since no official MikroTik response (to my knowledge) mentions anything about how this new instance thing gets created based on what the pre v7.20 config was, we have no idea how to properly upgrade (WHEN the stable version of v7.20 gets releases - jeez it's like talking to 5year olds).

millenium7 · Fri Jun 06, 2025 3:42 pm

if that happens then probably we will not need vxlan.

we will probably get AFI:EVPN - god knows

I'm still learning exactly how to work with EVPN and VXLAN so i'm not an expert. But I do know that I have a growing need to be able to specify transit paths manually, overriding what the IGP wants to do. Hence on MikroTik at the moment the only option is TE with VPLS or EVPN MPLS if support is added
But VXLAN is a lot simpler to setup so there is still a viable use case for it when you don't care about transit path selection. And naturally it doesn't need to ride on MPLS end to end hence can go across other carriers or the internet

I still think SR and SRv6 are the best bang for buck for any service provider using MikroTik and would see that get seriously worked on. The 1 and only current TE option on MikroTik is buggy, slow (no FRR) and complicated

oreggin · Fri Jun 06, 2025 3:46 pm

Since no official MikroTik response (to my knowledge) mentions anything about how this new instance thing gets created based on what the pre v7.20 config was, we have no idea how to properly upgrade (WHEN the stable version of v7.20 gets releases - jeez it's like talking to 5year olds).

If I'm right you need to open a ticket to support.

Fri Jun 06, 2025 3:55 pm

Switch chips used in CRS/CCR has VXLAN support, so I think it is easy to implement EVPN-VXLAN fabric for DCs in RouterOS. MPLS is a total different strory, it is not a DC feature. If MT would pushing the MPLS lines, then we would have SR now.
You can hope for EVPN-SR/MPLS, but EVPN-VXLAN DC fabric is a nice feature for, whom likes nice loopfree L2 network without STP.

I agree, both are needed, for different use cases.

eVPN+VXLAN for Datacentre
eVPN+MPLS for Service Provider

oreggin · Fri Jun 06, 2025 4:28 pm

Switch chips used in CRS/CCR has VXLAN support, so I think it is easy to implement EVPN-VXLAN fabric for DCs in RouterOS. MPLS is a total different strory, it is not a DC feature. If MT would pushing the MPLS lines, then we would have SR now.
You can hope for EVPN-SR/MPLS, but EVPN-VXLAN DC fabric is a nice feature for, whom likes nice loopfree L2 network without STP.
I agree, both are needed, for different use cases.

eVPN+VXLAN for Datacentre
eVPN+MPLS for Service Provider

I was trying to point out that there is no MPLS support in existing chipsets. MPLS is in 98DX73xx, but if I'm right, this lines of switch chip is not in MTik devices. I think its because it is more expensive then VXLAN-only pieces. However MPLS is works with CPU power but it wont wirespeed. A 100G capable router with ~10G MPLS capacity is not too funny.

riv · Fri Jun 06, 2025 8:57 pm

/routing/route , showing is-is routes flagged as RIP

Fri Jun 06, 2025 10:07 pm

Well ROS v7.20beta2 seems to kill ipsec-vpns to many endpoints (here all fortigate-tunnels are down after the upgrade);
switching back to v7.19.2 - ipsec goes up again...

You can add S2S towards Azure.
Working from L009 using 7.19.1.

Upgrade to 7.20b2 -> nada.
Downgrade again to 7.19.1 -> OK

fischerdouglas · Fri Jun 06, 2025 11:29 pm

Do you guys don't have OOB management so that you can re-establish control with the device and fix this?

Out of band without a VRF for this is a huge inadequacy, for several reasons, including security.

Enabling VRF in RouterOS kills hardware offload.
So in practice, you have to choose between having a decent OOB or having performance.

Those responsible should be ashamed of this.

loloski · Sat Jun 07, 2025 1:27 am

They are going to fix this VRF issue in due time, just like the old saying patience is a virtue for those who wait :) I hope this EVPN + VXLAN effort from them will pave a way to fix this issue for good yes I'm going to make big assumption and I'm very hopefull :)

millenium7 · Sat Jun 07, 2025 1:59 am

I was trying to point out that there is no MPLS support in existing chipsets. MPLS is in 98DX73xx, but if I'm right, this lines of switch chip is not in MTik devices. I think its because it is more expensive then VXLAN-only pieces. However MPLS is works with CPU power but it wont wirespeed. A 100G capable router with ~10G MPLS capacity is not too funny.

Shouldn't matter if its supported or not. If you're chasing ultimate speed thats fine you can use alternate hardware that does support your feature sets - like how it currently is with certain switching features - however VXLAN is not TE capable so its pointless when you have a viable need to use alternate routing paths. As all Service Providers beyond small scale do
The good thing about lack of performance is usually its easy to fix by just throwing more powerful hardware at it. Existing MikroTik hardware is already far more than powerful enough to route MPLS traffic at acceptable speeds for hundreds of customers per pop. If I really need more I can put x64 hardware and CHR instances in and easily achieve over 100gbit/s of pure software based routing

voip4life · Sat Jun 07, 2025 6:12 pm

I have problems in previous working IPSec. Not working
Also my container has problems - could not find config.json. Not able to start

Same problem here with 7.20 beta2. Can't get containers to start/work, etc.

jnob · Sat Jun 07, 2025 6:33 pm

After upgrading to 7.20beta2 my IPSec tunnel to a Proton server is failing with:
digital signature verification failed

Advice?

Sat Jun 07, 2025 10:53 pm

After upgrading to 7.20beta2 my IPSec tunnel to a Proton server is failing with:
digital signature verification failed

Advice?

Move back to 7.19.1

Amm0 · Sun Jun 08, 2025 12:19 am

Advice?
Move back to 7.19.1

Perhaps good idea. But I'd at least "Make supout.rif" before downgrading, so you can report it if desired.

Another option is to enable more IPSec logging in /system/logging/add topics=ipsec,!raw which might have some clues on what causing it. (And if you capture the supout.rif AFTER adding logging, you'd at least save potential clues for MT support).

ckleea · Sun Jun 08, 2025 3:55 am

Move back to 7.19.1
Perhaps good idea. But I'd at least "Make supout.rif" before downgrading, so you can report it if desired.

Another option is to enable more IPSec logging in /system/logging/add topics=ipsec,!raw which might have some clues on what causing it. (And if you capture the supout.rif AFTER adding logging, you'd at least save potential clues for MT support).

I also encounter this
Just showed up digital signature verification failed

Amm0 · Mon Jun 09, 2025 5:48 pm

*) container - show explicit stopped flag for container;

Perhaps you should NOT use "S" as /container flag for STOPPED as it "conflicts" the the usual "slave"/etc & started also starts with letter "S".

While "flag letters" may overlap in other places, this one confuses me (now perhaps just history that "no flag means not working", but still S means slave or static, not also stop or wrongly start). And the new red "exited with" comments, it's pretty obvious it's stopped – so flag is kinda redundant given that feature .

I'd prefer "stopped" state did not have a flag – which may be an a good idea before the stopped reason were also added. But perhaps used something different/"unusual" like lower-case "s" or "x" be fine too. Or if there is no exit code but stopped, that could be a "red comment" that says "stopped".

But the already overload "S" flag does NOT need any more. And IMO the "transitory" container states like "extracting"/"stopping"/"starting" could be also be lower case – which convey the "-ing" part more clearly.

Amm0 · Tue Jun 10, 2025 8:33 pm

I had some containers working (including a faucet container, see posting* above)... Not anymore.

I downgraded to 7.19.1 to test something, and the upgraded back to 7.20beta2 — however my containers all disappeared. I know it's beta & been lot of [good] changes in this release for containers... BUT.... it's not always easy to re-create them & doubly annoying since the root files are still on disk — and there is no config to "recover" them using the existing root-dir on disk when adding back container config.

* But thankfully I did write a script to "reincarnate" the Faucet /container, including some hideous :delay usage, but it did bring up everything again, after adding MORE :delay time

fischerdouglas · Tue Jun 10, 2025 8:44 pm

It's taking a long time to release a 7.20beta3, isn't it?

They're going to take forever to release betas, which should be frequent.
And they're going to speed up RCs and stable, which should be very cautious.

How long did the last RC before the stable version of 7.18 (the one with the ROSE Data Server) last? Was it more than 48 hours?

infabo · Tue Jun 10, 2025 9:04 pm

Stable betas are the foundation of any stable release.

mkx · Tue Jun 10, 2025 9:26 pm

Difference between beta and RC is very small ... RC is beta that developers consider to be almost ready for release. Neither are stable and RC doesn't have to be any better than preceeding betas. Active development still goes on during beta testing, it's just that focus shifts (or at least should IMO) to fixing bugs in RC stage.
If there are bugs in RC which should be fixed before release, and are harder to crack, then it's normal not to see frequent RCs. And it's probably not feasible to release RC for every bug fixed. Specially so if bug is easy to replicate so devs can verify the fix easily.

pe1chl · Tue Jun 10, 2025 10:39 pm

It's taking a long time to release a 7.20beta3, isn't it?

Hopefully they are working on 7.19.2 instead!

Paternot · Tue Jun 10, 2025 10:41 pm

It's taking a long time to release a 7.20beta3, isn't it?

I'm a "bazaar guy" myself, not a "cathedral one". But I must admit: I'm finding this "new" Mikrotik cadence MUCH better than the previous "oh dear, here we go again" previous one.

Case in point: Mikrotik have just closed two bugs I opened. Both were marked as "solved". True, they were simple bugs. But one of them was solved in 2 days (!). Another one took about 2 months. I'm fine with this: slow and steady is FAR better than "go fast and break things".

Also, since I'm a sys admin, I'm heavily biased towards "more boring is more better". So there's that. Give me stable and monotonous every time of the week. The more boring, the "more better" - screaming and frights belong to an Amusement Park, not my systems.

Paternot · Tue Jun 10, 2025 10:42 pm

Hopefully they are working on 7.19.2 instead!

Both, probably? I don't see 7.20.0 getting released before 7.19.2.

itimo01 · Wed Jun 11, 2025 5:51 pm

It's taking a long time to release a 7.20beta3, isn't it?
I'm finding this "new" Mikrotik cadence MUCH better than the previous "oh dear, here we go again" previous one.

+1
Its supposed to be a beta. Not an "alpha"/nightly.

If you want nightly check the nightly: mt.lv/nightly-build

Amm0 · Wed Jun 11, 2025 6:22 pm

If you want nightly check the nightly: mt.lv/nightly-build

I know MikroTik uses Box for "cloud files" sometimes.... But the nightly build seem like an ideal way to "dogfood" their own "back-to-home-files"... #self-hosting

If they ran into usability/missing features/bugs with back-to-home-files themselves all the better. But back-to-home-files UI is cleaner/nicer IMO than Box's public view, and think it supports everything they're using in Box.

infabo · Wed Jun 11, 2025 6:57 pm

Mikrotik is already dogfooding their RDS. I suppose TikTube is running in a container for example. That's probably why we see so many changelog items in these areas.

Amm0 · Wed Jun 11, 2025 10:09 pm

I suppose TikTube is running in a container for example.

It be a good application for RDS... but is that what it's actually running?

If so, I just hope they don't need to downgrade from this beta, otherwise possible the container gets "lost"/removed. ;-)

infabo · Wed Jun 11, 2025 10:15 pm

Newsletter #125 it says: "Runs entirely on our own RDS and hardware"

Amm0 · Wed Jun 11, 2025 10:25 pm

Newsletter #125 it says: "Runs entirely on our own RDS and hardware"

👍

Maybe it can run back-to-home-files to start replacing Box.com too :)

nclmrc · Thu Jun 12, 2025 9:55 am

in RB5009 with 7.20 beta 2, if i enable VLAN filtering performances are very poor, if i disable it performances are regulary.

with VLAN Filtering
https://eolo.speedtestcustom.com/result ... 6d9a99bf80

without VLAN Filtering
https://eolo.speedtestcustom.com/result ... 780d4ad900

erlinden · Thu Jun 12, 2025 9:57 am

in RB5009 with 7.20 beta 2, if i enable VLAN filtering performances are very poor, if i disable it performances are regulary.

Different from previous versions?
Any queues running on specific VLAN's?

Config might be helpfull.

Paternot · Thu Jun 12, 2025 2:42 pm

in RB5009 with 7.20 beta 2, if i enable VLAN filtering performances are very poor, if i disable it performances are regulary.

ETH1, running at 2,5Gbps? If yes, try either another port or limit eth1 to 1Gbps. See if makes some difference.