v7.9rc is released!

Fri Mar 31, 2023 11:44 am

RouterOS version 7.9rc has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.9rc5 (2023-Apr-28 11:52):

*) console - fixed password prompt (introduced in v7.9beta4);
*) lte - improved system stability when changing LTE interface configuration during network scan with MBIM modems (introduced in v7.8 );
*) wifiwave2 - fixed a compatibility issue when using OWE authentication (introduced in v7.8 );

What's new in 7.9rc4 (2023-Apr-24 16:34):

*) defconf - added CAPs mode script for wifiwave2 devices;
*) ovpn - improved system stability for Tile devices;
*) snmp - fixed several OIDs that were returning incorrect values (introduced in v7.9beta4);
*) snmp - fixed SNMPv3 "Reportable" flag behavior;
*) ssh - fixed SSH host key export (introduced in v7.9beta4);
*) switch - improved system stability during rapid MAC flapping for 98DXxxxx switches;
*) vxlan - improved system stability when printing FDB table (introduced in v7.9beta4);
*) webfig - fixed bogus comment for dynamic routes (introduced in v7.9beta4);
*) wifiwave2 - fixed WPS connectivity issues on 802.11ax APs (introduced in v7.9beta4);
*) wifiwave2 - improved WPS connection speed;

What's new in 7.9rc3 (2023-Apr-12 15:53):

*) tools - fixed "ip-scan" (introduced in v7.9beta4);
*) user-manager - fixed process startup after booting (introduced in v7.9beta4);

What's new in 7.9rc2 (2023-Apr-05 13:56):

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) wifiwave2 - fixed group key update for VLAN-tagged clients (introduced in v7.9beta4);

What's new in 7.9rc1 (2023-Mar-30 16:42):

*) bgp - copy all well-known and optional transitive attributes for BGP VPNv4 (introduced in v7.9beta4);
*) bgp - fixed BGP VPNv4 origin attribute (introduced in v7.9beta4);
*) console - fixed syntax highlighting when editing scripts (introduced in v7.9beta4);
*) console - replaced "fingerprint" with "skid" in "/certificate print";
*) health - fixed bogus value reporting for CRS510 device;
*) ike1 - improved service stability when handling non-RSA keys (introduced in v7.9beta4);
*) ike2 - fixed minor logging typo;
*) ipsec - added error log message when peer ID does not match certificate;
*) ipsec - improved handling of configuration that refers to non-existent certificate (introduced in v7.9beta4);
*) ipv6 - fixed IPv6 ND configuration change storing (introduced in v7.9beta4);
*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
*) netinstall-cli - improved device reinstall on failed attempt;
*) snmp - improved outputting of routes;
*) ssh - improved system stability when using SSH tunneling (introduced in v7.9beta4);
*) timezone - updated timezone information from "tzdata2023c" release;
*) wifiwave2 - fixed key handshake timeout for re-associating client devices on 802.11ac interfaces;
*) winbox - fixed changing slot name under "System/Disk" menu;

Other changes since v7.8:

*) bgp - improved BGP VPN selection;
*) bridge - added warning log when "ageing-time" exceeds supported hardware limit for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) bridge - fixed FastPath when setting "use-ip-firewall-for-vlan" or "use-ip-firewall-for-pppoe" without enabled "use-ip-firewall";
*) certificate - fixed bogus log messages;
*) chr - fixed public SSH key pulling when running on AWS;
*) console - added "/task" submenu (CLI only);
*) console - added option to create new files using "/file add" command (CLI only);
*) console - improved stability when doing "/console inspect" in certain menus;
*) console - improved stability when editing long strings;
*) console - improved system stability;
*) console - removed bogus "reset" command from "/system resource usb" menu;
*) console - rename flag "seen reply" to "seen-reply" under "/ipv6 firewall connection" menu;
*) console - show Ethernet advertise, speed and duplex settings depending on configured auto-negotiation;
*) container - fixed invoking "container shell" more than once;
*) container - improved "container pull" to support OCI manifest format;
*) detnet - fixed interface state detection after reboot;
*) dhcp - changed the default lease time for newly created DHCP servers to 30 minutes;
*) dhcpv4-server - release lease if "check-status" reveals no conflict;
*) disk - improved system stability when removing USB while formatting;
*) ethernet - fixed half-duplex forced mode at 10Mbps and 100Mbps on ether1 for RB5009, Chateau 5G ax and hAP ax3 devices;
*) filesystem - fixed partition "copy-to" function;
*) firewall - added "connection-nat-state" to IPv6 mangle and filter rules;
*) health - added limited manual control over fans for CRS3xx, CRS5xx, CCR2xxx devices;
*) ipsec - fixed packet processing by hardware encryption engine on RB850Gx2 device;
*) ipsec - refactor X.509 implementation;
*) ipv6 - added "valid" and "lifetime" parameters for SLAAC IPv6 addresses;
*) l3hw - improved route offloading for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) leds - disable LEDs after "/system shutdown";
*) lte - capped maximum lifetime of SLAAC address to 1 hour;
*) lte - fixed CA band clearing on RAT mode change;
*) lte - fixed duplicate IPv6 route for lte interface when "ipv6-interface" setting is used;
*) lte - fixed LTE interface not showing up when resetting RouterOS configuration;
*) lte - fixed passthrough mode when used together with another APN for Chateau 5G;
*) lte - fixed R11-LTE-US in LTE passthrough mode;
*) lte - fixed R11e-LTE-US reporting of RSSI in LTE mode;
*) lte - fixed re-attach in some cases where module would stay in not-running state after network detach;
*) lte - fixed second modem halt on dual R11e-LTE6 setup;
*) mpls- fixed LDP "preferred-afi" parameter;
*) netwatch - added "startup-delay" setting (CLI only);
*) netwatch - improved ICMP status evaluation when no reply was present;
*) netwatch - limit "start-delay" range;
*) ospf - fixed processing of fragmented LSAs;
*) ovpn - added support for OVPN server configuration export and client configuration import from .ovpn file;
*) quickset - fixed displaying of "SINR" when value is 0;
*) rose-storage - added option to nvme-discover with hostname (CLI only);
*) rose-storage - fixed crash on nvme-tcp disable;
*) rose-storage - fixed rsync transfer permissions;
*) rose-storage - various stability fixes;
*) route - fixed "dynamic-id" for VRF tables;
*) route - improved system stability when making routing decision;
*) route - show SLAAC routes under the "/routing route" menu;
*) route-filter - improved stability when matching blackhole routes;
*) routerboot - added "preboot-etherboot" and "preboot-etherboot-server" settings ("/system routerboard upgrade" required) (CLI only);
*) sfp - added log warning about failed auto-initialization on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules that hold "TX_FAULT" high signal all the time on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules with bad or no EEPROM in forced mode on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - fixed "rate-select" functionality on CCR2004-16G-2S+ and CCR2004-1G-12S+2XS devices (introduced in v7.8 );
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - improved module initialization and display more detailed initialization status on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - improved SFP28 interface stability with some optical modules for CRS518 switch;
*) sfp - improved system stability with some SFP GPON modules on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) socks - added VRF support;
*) ssh - added Ed25519 host key support;
*) ssh - do not allow SHA1 usage with strong crypto enabled;
*) ssh - improved service responsiveness when changing SSH service settings;
*) ssh - improved SSH key import process;
*) storage - mount RAM drive for devices with 32MB flash;
*) supout - added DHCP server network section;
*) switch - fixed ACL rules matching IPv6 packets when using only IPv4 matchers;
*) switch - improved system stability for 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) vrrp - added "self" value for "group-master" setting;
*) vxlan - added forwarding table;
*) vxlan - fixed packet drops when host moves between remote VTEPs;
*) webfig - added inline comments;
*) webfig - fixed "Destination" value under "MPLS/Forwarding-Table" menu;
*) webfig - fixed issue where "Certificate" value disappears under "IP/Services" menu;
*) webfig - fixed issue where entries might be missing under "IP/DHCP-Server" menu;
*) webfig - various stability fixes;
*) wifiwave2 - added "radio/reg-info" command to show regulatory requirements (currently implemented for 802.11ac interfaces) (CLI only);
*) wifiwave2 - added ability to configure antenna gain;
*) wifiwave2 - added ability to configure beacon interval and DTIM period;
*) wifiwave2 - added information on additional interface capabilities to radio parameters;
*) wifiwave2 - automatically add a VLAN-tagged interface to the appropriate bridge VLAN;
*) wifiwave2 - exit sniffer command and return error when trying to sniff on an unsupported channel;
*) wifiwave2 - fixed 802.11r roaming for clients that performed initial authentication with an AP which has been restarted since;
*) wifiwave2 - fixed issue of some supported channels not being listed in the radio parameters;
*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
*) wifiwave2 - fixed VLAN tagging for unencrypted (open) APs;
*) wifiwave2 - improved general interface stability;
*) wifiwave2 - improved regulatory compliance for hAP ax^2, hAP ax^3 and Chateau ax;
*) wifiwave2 - increased maximum value for "channel.frequency" to 7300;
*) wifiwave2 - show information on captured packets and added ability to save them locally in a pcap file;
*) winbox - added "MTU" and "Hoplimit" properties under "IPv6/Routes" menu;
*) winbox - added "Preferred AFI" property under "MPLS/LDP-Instance" menu;
*) winbox - added "S" flag under "IPv6/Firewall/Connections" menu;
*) winbox - added "Tx Power" property under "Wifiwave2/Status" menu;
*) winbox - added "Tx Queue Drops" property under interface settings "Traffic" tab;
*) winbox - added "Username" and "Password" properties under "Container/Config" menu;
*) winbox - added "Valid" and "Preferred" properties under "IPv6/Address" menu;
*) winbox - added missing properties for "Remote ID Type" under "IP/IPsec/Identities" menu;
*) winbox - changed route flag name from "invalid" to "inactive";
*) winbox - fixed "TLS" property under "Tools/Email" menu;
*) winbox - fixed "Type" property under "System/Disk" menu when "rose-storage" package is installed;
*) winbox - fixed default value for "Allow managed" property under "Zerotier" menu;
*) winbox - fixed duplicate "My ID" column under "IP/IPsec/Identities" menu;
*) winbox - fixed minor typo in "WifiWave2/Radios" menu;
*) winbox - fixed missing "Sector Writes" for certain devices under "System/Resources" menu (introduced in v7.8 );
*) winbox - improved Ethernet advertise, speed and duplex settings;
*) winbox - only show permitted countries for wifiwave2 interfaces;
*) winbox - show missing "Designated Bridge" and "Designated Port Number" monitoring data under "Bridge/Port menu;
*) www - allow unsecure HTTP access to REST API;
*) x86 - fixed changing software-id (introduced in v7.7);
*) zerotier - upgraded to version 1.10.3;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

rextended · Fri Mar 31, 2023 11:54 am

*) bgp - copy all well-known and optional transitive attributes for BGP VPNv4 (introduced in v7.9beta4);
*) netinstall-cli - improved device reinstall on failed attempt;
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) timezone - updated timezone information from "tzdata2023c" release;

Welldone!!!

goodend · Fri Mar 31, 2023 12:06 pm

Having trouble with the Hotspot Login Page in PCC Load Balancing which often fails to appear or doesn't automatically redirect?

Fri Mar 31, 2023 12:36 pm

Having trouble with the Hotspot Login Page in PCC Load Balancing which often fails to appear or doesn't automatically redirect?

I'm not sure this is related to 7.9rc, however HotSpot is not designed for multigateway configuration.

colinardo · Fri Mar 31, 2023 12:54 pm

Thanks!

Still some issues with ssh keys:

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

Export of hostkey in ed25519 works, reimport of the same key or other ed25519 keys will not import (tested on CHR(x86) platform):

screenshot.png

Also user keys ed25519 in PKCS8 Format generated with the following command are not imported (with or without password doesn't matter)

ssh-keygen -t ed25519 -m PKCS8 -f my.key

screenshot.png

Regards
@colinardo

Fri Mar 31, 2023 1:19 pm

SUP-111720 for AX3 seems to be solved.
No more error messages about customized default config script at startup.
Default script (system default-configuration) is now also adjusted, not only caps part anymore.

osc86 · Fri Mar 31, 2023 1:41 pm

thanks for this new release.

*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
please also do that when the router is rebooted (updates, maintenance).

And please fix PoE on hap ax3 to stay on when rebooting the device.

w0lt · Fri Mar 31, 2023 4:17 pm

ROS v7.9rc1

RB CCR2004-16G-2S+
Still have the same problem as 7.9rc4:
Again, does not happen on ROS v7.8

Screenshot 2023-03-31 at 8.08.52 AM.png

-tp

SOLVED -- Disabled iPV6 ND

massinia · Fri Mar 31, 2023 5:19 pm

hAP ax3, I have never seen this error before...

hap ax3.png

It happens every time I reboot hAP ax3, it doesn't happen on hAP ax2.

rextended · Fri Mar 31, 2023 5:35 pm

Already know, already reported from me two times on another two rotueros version, and the exact procedure for fix that error, never fixed.

Then I broke down to rewrite it every time, they didn't care anyway.

On 7.5
viewtopic.php?p=955204#p955204

On 7.6
viewtopic.php?p=962556#p962762

But the MikroTik Staff never gave a damn about it.

Fri Mar 31, 2023 6:29 pm

I had it too on AX3 and for me this was solved with 7.9rc1. See couple of posts up where the reference is of sup ticket.
No more error after reboot.

npeca75 · Fri Mar 31, 2023 6:30 pm

well, please don't fix SNMP anymore :(

LibreNMS could not read port MAC address

urknall · Fri Mar 31, 2023 7:03 pm

Is ovpn still unstable like in 7.8 or is that already fixed?

massinia · Fri Mar 31, 2023 7:04 pm

I had it too on AX3 and for me this was solved with 7.9rc1. See couple of posts up where the reference is of sup ticket.
No more error after reboot.

Very strange, I never seen it before.

If I downgrade to 7.9beta4 it disappears and if I upgrade to 7.9rc it reappears on every reboot...

npeca75 · Fri Mar 31, 2023 11:03 pm

well, please don't fix SNMP anymore :(

LibreNMS could not read port MAC address

yepp, same on beta4 and rc1

ifPhysAddress 
SNMP['/usr/bin/snmpbulkwalk' '-v2c' '-c' 'COMMUNITY' '-OQUst' '-m' 'IF-MIB' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/mikrotik' 'udp:HOSTNAME:161' 'ifPhysAddress']

ifPhysAddress.1 = 0:0:0:0:0:0
ifPhysAddress.2 = 0:0:0:0:0:0
ifPhysAddress.3 = 0:0:0:0:0:0
ifPhysAddress.4 = 0:0:0:0:0:0
ifPhysAddress.5 = 0:0:0:0:0:0

it is unusable in this way

own3r1138 · Sat Apr 01, 2023 5:58 am

2023-04-01_06-27-06.png

fakeusername2022 · Sat Apr 01, 2023 10:09 am

There is a bug with Radius Server and User Manager causes Radius Timeout error for clients trying to connect.

rextended · Sat Apr 01, 2023 11:07 am

For increase the TX power over regulatory limits, just alter this file and save it on
\lib\modules\5.6.3\kernel\net\wireless
where is also present cfg80211.ko
on flash device must be put on
\flash\lib\modules\5.6.3\kernel\net\wireless

Znevna · Sat Apr 01, 2023 11:58 am

For increase the TX power over regulatory limits, just alter this file and save it on
[...]

I've got over 9000mW, thanks!

mkx · Sat Apr 01, 2023 1:10 pm

For increase the TX power over regulatory limits, just alter this file and save it on
[...]
I've got over 9000mW, thanks!

Thans goodness you didn't push for more ... it could cook your balls ...

herger · Sat Apr 01, 2023 1:41 pm

For increase the TX power over regulatory limits, just alter this file and save it on
\lib\modules\5.6.3\kernel\net\wireless
where is also present cfg80211.ko
on flash device must be put on
\flash\lib\modules\5.6.3\kernel\net\wireless

APRILS FOOOOOOLS !!!! xD
nice one, but the utf-8 part gave you away (;

herger · Sat Apr 01, 2023 1:43 pm

Obviously the TX power needs to be specified as UNICODE!

massinia · Sat Apr 01, 2023 1:44 pm

2023-04-01_06-27-06.png

@own3r1138

1 aprile.png

😂

rextended · Sat Apr 01, 2023 2:17 pm

nice one, but the utf-8 part gave you away (;

it's in stock image :lol:

JohnConnett · Sat Apr 01, 2023 6:11 pm

Thanks!

Still some issues with ssh keys:

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

Export of hostkey in ed25519 works, reimport of the same key or other ed25519 keys will not import (tested on CHR(x86) platform):

Haven't found a way to convert the exported host keys to OpenSSH format using

ssh-keygen

.

sshpk seems to work using the following:

$ node sshpk/bin/sshpk-conv --informat=pkcs8 --file=router_ed25519.pem --outformat=ssh --out=router_ed25519.pub --comment "admin@router"
$ file router_ed25519.pub
router_ed25519.pub: OpenSSH ED25519 public key
$

Might be safer to provide a mechanism to export just the host public key (or encrypt the hosts keys with a passphrase).

rpingar · Sat Apr 01, 2023 7:56 pm

on ccr2216 appling Force-Mac-Address to a bonding interface block all the logic of the router, no winbox or mac-telnet, but it respond to ping on all other interfaces then bonding with force mac address.

rebooting is the only solution.

rpingar · Sun Apr 02, 2023 12:15 pm

7.9rc1 on CCR2216 has an higher icmp ping loss compared to 7.8 and previews.
7.9rc1 respond with ~3x1000 loss
same hardware, same configuration but with 7.8 respond with ~3x10000 loss
just an order of magnitude higher.

DarkNate · Sun Apr 02, 2023 2:12 pm

Looks like I'll stay on 7.8 for all production hardware, even in my home. Until 7.9 is stable.

DarkNate · Sun Apr 02, 2023 2:13 pm

7.9rc1 on CCR2216 has an higher icmp ping loss compared to 7.8 and previews.
7.9rc1 respond with ~3x1000 loss
same hardware, same configuration but with 7.8 respond with ~3x10000 loss
just an order of magnitude higher.

This is likely just lower rate limiting threshold. And can be ignored. I've seen the same on Juniper and Huawei, aggressive ICMP rate limiting.

JohnConnett · Sun Apr 02, 2023 2:20 pm

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

Does

/user/ssh-keys/import

also support Ed25519 public keys?
If so, what format(s) are supported?
I've tried (what I think are) OpenSSH and PKCS#8 without passphrases and both return unable to load key file (wrong format or bad passphrase).

rpingar · Sun Apr 02, 2023 2:31 pm

7.9rc1 on CCR2216 has an higher icmp ping loss compared to 7.8 and previews.
7.9rc1 respond with ~3x1000 loss
same hardware, same configuration but with 7.8 respond with ~3x10000 loss
just an order of magnitude higher.
This is likely just lower rate limiting threshold. And can be ignored. I've seen the same on Juniper and Huawei, aggressive ICMP rate limiting.

I agree with you, but I would like to controll this behavior to handle some corner case issues.
regards

mkx · Sun Apr 02, 2023 3:01 pm

Looks like I'll stay on 7.8 for all production hardware, even in my home. Until 7.9 is stable.

Well, this is a "release candidate" and MT had occasions where more than one RC happened before corresponding "full" release. Meaning that even MT considers this more a lab testing release than for production environment. Surely it's up to anyone to install rc or even beta in their production networks if they decide so.

Joe1vm · Sun Apr 02, 2023 4:00 pm

Hello....
It seems that the container issue still persist - tested with adguard with following result

from the log....
" importing remote image: adguard/adguardhome, tag: latest"
" was unable to import, container 1a56800e-9820-4ec2-a433-b6bc1f77f2e2...

Jotne · Sun Apr 02, 2023 4:12 pm

Looks like I'll stay on 7.8 for all production hardware, even in my home. Until 7.9 is stable.

Well, this is a "release candidate" and MT had occasions where more than one RC happened before corresponding "full" release. Meaning that even MT considers this more a lab testing release than for production environment. Surely it's up to anyone to install rc or even beta in their production networks if they decide so.

And RC should never be run in production. I would say stay away from 7.x.0 and wait for 7.x.1 or higher. But it seems that MT like to add new function compare to make it stable. I was hoping on 7.8.1 be fore 7.9beta/rc, or at lest backport fixes broken in 7.8 to make 7.8.1 and try to reach the first long time release for 7.x

JohnConnett · Sun Apr 02, 2023 5:19 pm

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

Might be safer to provide a mechanism to export just the host public key (or encrypt the hosts keys with a passphrase).

Ignore the first part of the above!

ssh-keyscan router

works fine to obtain the host public key (so long as you remember to specify the port if you've changed it from the default).

volkirik · Sun Apr 02, 2023 9:50 pm

ipv6 fasttrack support please

expo · Mon Apr 03, 2023 3:44 am

Anyone noticed lockups on CCR2216 on 7.9beta4? Not sure yet if it's hardware or software related but usually since watchdog is enabled you would get a reboot, no response on console either...

goodend · Mon Apr 03, 2023 1:59 pm

Having trouble with the Hotspot Login Page in PCC Load Balancing which often fails to appear or doesn't automatically redirect?
I'm not sure this is related to 7.9rc, however HotSpot is not designed for multigateway configuration.

V6 version is normal

volkirik · Mon Apr 03, 2023 2:41 pm

ipv6 fasttrack support is late

please mikrotik team

pjkundert · Mon Apr 03, 2023 6:17 pm

Scripting of deployment of ssh private keys is (still) impossible:

Without a "passphrase=" option to the /user/ssh-key/private/import command, we cannot write scripting to import the deployed SSH private keys.

Can you please add the option, or provide alternative means to supply "user input" to commands in scripts?

Thanks,

nemoforum · Mon Apr 03, 2023 7:45 pm

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.

pjkundert · Mon Apr 03, 2023 8:20 pm

Creation of PKCS8-format private SSH ed25519 keys using ssh-keygen seems to be impossible.

What is the recommended procedure for creating an ed25519 PKCS8-format SSH private key?

eworm · Mon Apr 03, 2023 8:35 pm

Non. Currently ed25519 keys for public key authentication are not supported.

kev445 · Mon Apr 03, 2023 8:44 pm

ipv6 fasttrack support is late

please mikrotik team

Don't push them too hard, they'll have the last laugh and tell us it will be in version 8!

volkirik · Mon Apr 03, 2023 9:02 pm

it is their market share and they are laughing at it.

ipv6 was introduced 27 years ago. most competitors have fast-track support now.

rextended · Mon Apr 03, 2023 10:20 pm

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.

Copy & Paste???
viewtopic.php?p=993395#p993395

Same reply:
Is correct, 15 + 4,5 ~20dB...

rextended · Mon Apr 03, 2023 10:22 pm

ipv6 was introduced 27 years ago. most competitors have fast-track support now.

Latvia do not use IPv6, so....
https://www.google.com/intl/en/ipv6/sta ... 6-adoption

And on Italy (8,74%) I'm contributing just with only 2 "/32"

pjkundert · Mon Apr 03, 2023 10:24 pm

[/quote]

Non. Currently ed25519 keys for public key authentication are not supported.

Hmmm...:

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

*) ssh - added Ed25519 host key support;

So they only added Ed25519 for "host keys", not for authentication? That's unfortunate...

massinia · Mon Apr 03, 2023 10:26 pm

Screenshot 2023-04-03 alle 21.23.27.png

Small problem with characters in log...

rextended · Mon Apr 03, 2023 10:28 pm

What characters? "%*8"? Is interface with .id = 8
on terminal, for know the name:

/int pri where .id=*8

The bug is not the character, but the missing convertion from .id to name.

ToTheCLI · Mon Apr 03, 2023 11:27 pm

For those with the RB5009 and a GPON SFP, Does Forcing 2.5Gbps rate work on v7.9rc1?

massinia · Mon Apr 03, 2023 11:35 pm

What characters? "%*8"? Is interface with .id = 8
on terminal, for know the name:
Code: Select all
/int pri where .id=*8
The bug is not the character, but the missing convertion from .id to name.

Ah OK thanks rextended

Screenshot 2023-04-03 alle 22.33.13.png

Tue Apr 04, 2023 8:22 am

At the moment Ed25519 key import/export is available only under the "/ip/ssh/" menu. The format must be PKCS8. An additional fix for the "/ip/ssh/import-host-key" function will be available in rc2.

Please note that ssh-keygen ignores the PKCS8 format parameter for Ed25519 key, you should use OpenSSL to generate the key and store it in PKCS8 format.

"openssl genpkey -algorithm ed25519 -out private.pem"

anav · Tue Apr 04, 2023 1:37 pm

Hi Strods, I am curious as to where folks are supposed to know these gems?
In other words, why not publish such known work-arounds or such 'tricks' on a web page, and then close the line when added to winbox etc.

rextended · Tue Apr 04, 2023 1:51 pm

An additional fix for the "/ip/ssh/import-host-key" function will be available in rc2.

Please also fix the missing password parameter on /user ssh-keys private import private-key-file=xxx user=xxx
Someone lost it along the way

nemoforum · Wed Apr 05, 2023 12:01 am

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.
Copy & Paste???
viewtopic.php?p=993395#p993395

Same reply:
Is correct, 15 + 4,5 ~20dB...

Yes, you copy-pasted your assumption as a reply to the reported and still-existing bug.

rextended · Wed Apr 05, 2023 12:18 am

Yes, you copy-pasted your assumption as a reply to the reported and still-existing bug.

You do not read the specs... or if you read it, you do not understand what you read, and this is not one assumption, is a fact.

See the official reply if you do not like know from other users how the things works...
viewtopic.php?t=194993#p994422

doridian · Wed Apr 05, 2023 2:00 am

With 7.9rc1 I suddenly see VRRP announcement traffic on interfaces that have a group-master (which is not themselves).
This is causing rapid address flapping

Logs

15:50:13 vrrp,info vrrp-security-dns now MASTER, master down timer
15:50:13 vrrp,info vrrp-security-dns now BACKUP (set by VRRP Group)
...
15:50:17 vrrp,info vrrp-security-dns now MASTER, master down timer
15:50:17 vrrp,info vrrp-security-dns now BACKUP (set by VRRP Group)

Relevant config

[admin@router-backup] /interface/vrrp> print
Flags: X, I - INVALID; B, F - FAILURE
Columns: NAME, INTERFACE, MAC-ADDRESS, GROUP-MASTER, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTOCOL, SYNC-CONNECTION-TRACKING
 #    NAME                     INTERFACE        MAC-ADDRESS        GROUP-MASTER       VRID  PRIORITY  INTERVAL  VERSION  V3-PROTOCOL  SYNC-CONNECTION-TRACKING
...
12  B vrrp-mgmt-dns            vlan-mgmt        00:00:5E:00:01:35  self                 53        25  1s              2  ipv4         no
...
15  B vrrp-security-dns        vlan-security    00:00:5E:00:01:35  vrrp-mgmt-dns        53        25  1s              2  ipv4         no
...

I have already deleted and manually recreated the entire VRRP config and the announcements are still (incorrectly) sent on the non-master interfaces.
My router on 7.8 correctly only announces on the group-master

moojp · Wed Apr 05, 2023 5:29 am

With 7.9rc1 I suddenly see VRRP announcement traffic on interfaces that have a group-master (which is not themselves).
This is causing rapid address flapping

Same issue on my routers since 7.9beta4. I created SUP-112104 on Mar29. still "Waiting for support" status.

EDITTED
On Apr05, I received a message that MikroTik had reproduced this issue.

theosoft · Wed Apr 05, 2023 9:21 am

I would like to know the status of the partitioning bug in 7.9 releases.

viewtopic.php?p=992361#p992361

Is there a fix in handling /dev during partitioning as promissed in 7.8?
Is it tested?

regards

Wed Apr 05, 2023 9:28 am

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.

The monitor command will report transmitter (radio) power. As rextended pointed out, 15dBm is the appropriate transmitter power to use for an interface with 5 dB (rounded up) antenna gain, when operating on a channel, where regulatory requirements limit EIRP to 20dBm.
The initial reading of 20dBm is erroneous. As the interface is starting up, the actual power figure is not yet available and the reading falls back to max regulatory EIRP.

rextended · Wed Apr 05, 2023 10:49 am

@nemoforum
For be clear: the bug can be the temporary display of 20, not what you suppose: the tx power = 15.

mevara · Wed Apr 05, 2023 12:28 pm

Already know, already reported from me two times on another two rotueros version, and the exact procedure for fix that error, never fixed.

Then I broke down to rewrite it every time, they didn't care anyway.

On 7.5
viewtopic.php?p=955204#p955204

On 7.6
viewtopic.php?p=962556#p962762

But the MikroTik Staff never gave a damn about it.

Same thing on hap ac3. May be it connected with Wave2 packet (so no /interface/wireless more)

Wed Apr 05, 2023 12:34 pm

AX2, just noticed Files section is pretty desolated
As in : EMPTY, I had some backups in there, luckily also offline. But there should have been a /pub folder too ?

Downgraded to 7.8, still the same.
Only when I recreated my backups, /pub folder reappeared.

Upgraded again to 7.9rc1.
Files still there.

volkirik · Wed Apr 05, 2023 2:43 pm

i suggest setting default (factory) value of SIP TIMEOUT to 3 minutes (by default). hope we can see it in next releases.

Most routers use 3 minutes udp session timeout. when SIP timeout is higher than 3 minutes, keep alive packets or reconnections will not happen. and this will make your phone number unavailable.

tbh 10 seconds value will work even better if you add connection tracking timeout to SIP ALG. for example, i want SIP connection to stay in connection tracking table for 1 hours, and set sip timeout to 10 seconds so devices will send keepalive/invite etc each and every ten seconds.

thanks for reading , regards

nonolk · Wed Apr 05, 2023 4:02 pm

Hello,

I’ve just found one possible bug, when activating ft=yes old iPads Air 2 running iPadOS 15.7.4 could not connect anymore (activating ft-over-ds do not help neither), always requesting for password and telling bad password. In my case valid authentication are wpa2-psk and wpa3-psk only (checked also with wpa-psk unsucessfully).
By looking here https://support.apple.com/en-us/HT202628 is seems related to 802.11r adaptive, could it be possible to just activate 802.11k and 801.11r and add a checkbox to active 802.11r adaptative ?

Deactivating ft (ft=no) solve the issue.

Regards,

prmfeddema · Wed Apr 05, 2023 5:49 pm

Thanks for all the hard work - but a large number of users are still suffering from non-working sfp adapters in the RB5009's
One user is running a RB5009UG and this one does work while a larger group of other users (both RB5009UG as well as RB5009Upr) suffer from a problem with non-working sfp (fs.com) adapters.
The sfp adapters work fine in a HexS and a tp-link media converter - so it seems that the problem lies with the RB5009.

As this issue is now going on for 6 months or more - would you be so kind to give this some priority please?

fqx · Thu Apr 06, 2023 8:18 am

*) sfp - improved system stability with some SFP GPON modules on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;

I have a XPON module that works with 7.6, it still doesn't work in 7.9rc1

dang21000 · Thu Apr 06, 2023 9:30 am

Hi,

Repartition from 1 to 2 still not work if there container and usbkey (hap ax3).

Thu Apr 06, 2023 11:28 am

What's new in 7.9rc2 (2023-Apr-05 13:56):

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) wifiwave2 - fixed group key update for VLAN-tagged clients (introduced in v7.9beta4);

Thu Apr 06, 2023 11:30 am

I’ve just found one possible bug, when activating ft=yes old iPads Air 2 running iPadOS 15.7.4 could not connect anymore (activating ft-over-ds do not help neither), always requesting for password and telling bad password. In my case valid authentication are wpa2-psk and wpa3-psk only (checked also with wpa-psk unsucessfully).

Hello, please open a support ticket regarding this.
Have you tried removing the network from the list of saved wifi networks on the iPad and adding it again after enabling ft?
'Adaptive' 802.11r appears to be a proprietary behaviour implemented to accomodate clients which get confused by 802.11r. The iPad should not require it.

rextended · Thu Apr 06, 2023 11:41 am

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

Yessss..........

Please also fix the missing password parameter on /user ssh-keys private import private-key-file=xxx user=xxx
Someone lost it along the way

Rox169 · Thu Apr 06, 2023 12:01 pm

only few changes in 7,9rc2 so stable is around corner :)

Rox169 · Thu Apr 06, 2023 12:06 pm

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.
The monitor command will report transmitter (radio) power. As rextended pointed out, 15dBm is the appropriate transmitter power to use for an interface with 5 dB (rounded up) antenna gain, when operating on a channel, where regulatory requirements limit EIRP to 20dBm.
The initial reading of 20dBm is erroneous. As the interface is starting up, the actual power figure is not yet available and the reading falls back to max regulatory EIRP.

is it possible to have superchannel where we will be able to set all parameters without any restictions?

rextended · Thu Apr 06, 2023 12:11 pm

It's better to ask Debug mode as non-wifiwave2 for Compliance Testing purpose....
Using the manufacturer's drivers has its drawback ...

Thu Apr 06, 2023 12:13 pm

Upgraded RB5009, AX2 and AX3 coming from rc1. Didn't expect any problems and so far none seen.

Thu Apr 06, 2023 12:16 pm

*) ssh - added support for Ed25519 key export and import in PKCS8 format;
Yessss..........

Please also fix the missing password parameter on /user ssh-keys private import private-key-file=xxx user=xxx
Someone lost it along the way

if you want to import the key in interactive mode then for security reasons passphrase is asked when you execute the command.

rextended · Thu Apr 06, 2023 12:21 pm

Obviously the request is not for interactive mode......................... and not for remove the password request...........
And for non interactive mode? Where is the password parameter like on v6?
Is more secure remove the password from the private key(?) because is not possible anymore import the key protected with password????

npeca75 · Thu Apr 06, 2023 2:49 pm

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);

looks like it is working as expected

ifPhysAddress.1 = 6c:3b:6b:c2:37:a4
ifPhysAddress.2 = 6c:3b:6b:c2:37:a5
ifPhysAddress.3 = 6c:3b:6b:c2:37:a6
ifPhysAddress.4 = 6c:3b:6b:c2:37:a7
ifPhysAddress.5 = 6c:3b:6b:c2:37:a8

w0lt · Thu Apr 06, 2023 4:54 pm

hAP_AX^3 ROS 7.9rc2 still does not have the feature to "Copy To Access List" on wireless.

massinia · Thu Apr 06, 2023 5:33 pm

Seems fixed with rc2 🎉

Thu Apr 06, 2023 5:38 pm

Yes and no.

Yes as in: I don't see it anymore either (already since rc1)
No as in: support confirmed me today they still haven't found the root cause of the problem (so inherently it is still there). So my ticket stays open.

rextended · Thu Apr 06, 2023 5:53 pm

Yes and no.

Yes as in: I don't see it anymore either (already since rc1)
No as in: support confirmed me today they still haven't found the root cause of the problem (so inherently it is still there). So my ticket stays open.

Send this link to support...............
viewtopic.php?t=194993#p993491

You can extract the file get-custom-defconf from routeros-7.9rc2-mipsbe.npk in the folder \nova\lib\defconf
If you open it, still present those fking lines.....

Accidentally the already converted block was not deleted, old code and unused chunks were left from line 983 to line 995.

peich1 · Thu Apr 06, 2023 6:02 pm

Is ovpn still unstable like in 7.8 or is that already fixed?

I'm very interested in this too, anyone have tried it?

Thu Apr 06, 2023 6:03 pm

Send this link to support...............
viewtopic.php?t=194993#p993491

Done :)

own3r1138 · Thu Apr 06, 2023 6:41 pm

Is OVPN still unstable like in 7.8 or is that already fixed?
I'm very interested in this too, anyone tried it?

No, it has not been fixed. Instant crashes due to high CPU utilization.

peich1 · Thu Apr 06, 2023 7:06 pm

I'm very interested in this too, anyone tried it?

No, it has not been fixed. Instant crashes due to high CPU utilization.

Wow! What is Mikrotik waiting for? This is an important bug, it should have been fixed right away!

own3r1138 · Thu Apr 06, 2023 7:22 pm

@MT
We are not able to track this problem down/repeat it in our internal tests.

peich1 · Thu Apr 06, 2023 7:42 pm

@MT
We are not able to track this problem down/repeat it in our internal tests.

I don't think it's so difficult to replicate... it happens to me in several routers. It happens when a tunnel gets disconnected for whatever reason, and then the router creates a new one (when there is a static -in interface, it creates a new dynamic one) but the process for the old tunnel seems to keep running in the background, maxing out a core of the cpu.

Simonej · Thu Apr 06, 2023 9:21 pm

Send this link to support...............
viewtopic.php?t=194993#p993491

@rextended is this related to the WiFi error that happens on Audience with wifiwave2 confirmed also by @mkx?
I already sent your post months ago to support (was a different post maybe from v7.4).

rextended · Thu Apr 06, 2023 11:08 pm

Yes, still the same error, but not only on Audience.....

nemoforum · Fri Apr 07, 2023 1:05 am

Tx Power for 2.4 GHz interface on hAP ax2 is limited to 15 dBm. Tested with different Country configured.
Moreover, right after changing a country 20 dBm is displayed for a while and then it falls to 15 dBm.
The monitor command will report transmitter (radio) power. As rextended pointed out, 15dBm is the appropriate transmitter power to use for an interface with 5 dB (rounded up) antenna gain, when operating on a channel, where regulatory requirements limit EIRP to 20dBm.
The initial reading of 20dBm is erroneous. As the interface is starting up, the actual power figure is not yet available and the reading falls back to max regulatory EIRP.

20dBm for all countries? No.
https://git.kernel.org/pub/scm/linux/ke ... ree/db.txt
Guatemala - 30dmb
Panama - 36dBm
I've played with the "Country" option and it doesn't affect the reported TX power. It always says 15 (+4.5?). But for Guatemala the limit is (2402 - 2472 @ 40), (30), for Panama - (2400 - 2483.5 @ 40), (36).
At the same time, changing the "Country" option for 5GHz interface affects the reported TX power: I saw values from 9dBm (Ukraine) to 25dBm (Guatemala, Panama). But still less than allowed values (including antenna gain: Guatemala - (5725 - 5850 @ 80), (36)).

In addition:
https://i.mt.lv/cdn/product_files/hAPax2_221036.pdf - Wireless specifications
vs
https://fccid.io/TV7C52-5AXD2AXD - Operating Frequencies
-- upd --
Okay, I was able to get 25dBm (+5) for 2GHz interface with region Panama and 1 ch (2412 MHz) configured. 13 ch is not supported for Panama - what?!.
But https://git.kernel.org/pub/scm/linux/ke ... ree/db.txt says that the limit for Panama is 36dBm for 2400 - 2483.5 @ 40, so 13ch (2472 center freq., 2461–2483) should not be supported. The same for Guatemala and a lot of other counties.
Please, clarify what regdb wifiwave2 uses?

rextended · Fri Apr 07, 2023 2:18 am

kernel.org or any other source do not have any value at all.

Panama is 30dBm
The unique official source https://www.asep.gob.pa/?page_id=13116 Page 131

nemoforum · Fri Apr 07, 2023 2:55 am

kernel.org or any other source do not have any value at all.

Panama is 30dBm
The unique official source https://www.asep.gob.pa/?page_id=13116 Page 131

Regdb is filled up from such sources, but it could be outdated, for sure.
Okay, let's take a look at https://www.asep.gob.pa/?page_id=13116 Page 131: it says 1W (30dBm) for the whole range from 2.4GHz to 2.4835GHz.
While 1ch is 2412 MHz (2401–2423) and 13ch is 2472 MHz (2461–2483), and taking into account the previous line - wifiwave2 says "no supported channels". What, Mikrotik?!

Wifi regulatory domain should be definitely fixed.

amokkatmt · Fri Apr 07, 2023 6:07 pm

hAP ax3. Funny thing that exactly on 7.9rc1 (2023-Mar-30 16:42) I first acquainted with "key handshake timeout" messages in my log:

*) wifiwave2 - fixed key handshake timeout for re-associating client devices on 802.11ac interfaces;

After few hours of uptime all wireless devices were losing ability to connect, to both 2.4 & 5GHz. Disabling WPA3, tripping wireless interface did nothing, only reboot helped. After second occurrence downgraded to 7.8.

Znevna · Fri Apr 07, 2023 9:55 pm

Regdb is filled up from such sources, but it could be outdated, for sure.
Okay, let's take a look at https://www.asep.gob.pa/?page_id=13116 Page 131: it says 1W (30dBm) for the whole range from 2.4GHz to 2.4835GHz.
While 1ch is 2412 MHz (2401–2423) and 13ch is 2472 MHz (2461–2483), and taking into account the previous line - wifiwave2 says "no supported channels". What, Mikrotik?!

Wifi regulatory domain should be definitely fixed.

Probably they use a version prior to this change (change that is now outdated and wrong based on your document).
You'll first have to fix it in regdb :)

nonolk · Sat Apr 08, 2023 12:16 pm

hAP ax3. Funny thing that exactly on 7.9rc1 (2023-Mar-30 16:42) I first acquainted with "key handshake timeout" messages in my log:
*) wifiwave2 - fixed key handshake timeout for re-associating client devices on 802.11ac interfaces;
After few hours of uptime all wireless devices were losing ability to connect, to both 2.4 & 5GHz. Disabling WPA3, tripping wireless interface did nothing, only reboot helped. After second occurrence downgraded to 7.8.

I’m experiencing the same issue on a Hap ax2, I didn’t find any solution except a reboot to solve the issue…
I didn’t test 7.9rc2 so far.

peterda · Sun Apr 09, 2023 2:11 pm

Please fix the ether1 unstable issue on the mAP lite.
The device works, sort off, with 7.8 but ether1 will not link with the connected hardware.
Tested with hEX S, Cisco Catalyst, many ethernet dongles for Mac …
Last resort; powering with a POE Cisco Catalyst, i was able to connect and downgrade it to 6.x to have it working again.

The mAP lite is reported to work okay with ROS 7.8 by other users so please ignore the above :)
Must be my unit that is faulty.

Cheers Peter

eworm · Sun Apr 09, 2023 2:46 pm

Oh, I have a mAP lite that I thought is dying... Perhaps it is not. 🤔

DarkNate · Sun Apr 09, 2023 8:52 pm

I agree with you, but I would like to controll this behavior to handle some corner case issues.
regards

You can control it via IP>Settings>ICMP Rate

ToTheCLI · Mon Apr 10, 2023 4:56 am

2.5Gbps Fixed rate on GPON SFP (Huawei MA5671A) works but PPPoE Scan is not working (shows no entries) was working on 7.7 stable on RB5009.

rpingar · Mon Apr 10, 2023 9:06 am

I agree with you, but I would like to controll this behavior to handle some corner case issues.
regards
You can control it via IP>Settings>ICMP Rate

too easy... it is just now unlimited

loloski · Mon Apr 10, 2023 10:11 am

Please update the config snippet from https://help.mikrotik.com/docs/display/ ... figuration

/interface wifiwave2
set wifi1 channel=ch-2ghz configuration=common-conf disabled=no
set wifi2 channel=ch-5ghz configuration=common-conf disabled=no

into this

/interface wifiwave2
set wifi1 channel=ch-5ghz configuration=common-conf disabled=no
set wifi2 channel=ch-2ghz configuration=common-conf disabled=no

This cause an error when activating the wifi with No supported Channels error at least on hap ax2

just my 0.2

Mon Apr 10, 2023 10:16 am

No, it needs to be specified that particular config is for non-AX devices.
And then a note indicating order of interfaces is swapped for AX.

Or the other way around.

But not simply change because then it will be wrong for AC3, Audience, ...

Still puzzles me why they changed that order. Much easier to keep it the same.

nonolk · Mon Apr 10, 2023 11:48 am

Hello, please open a support ticket regarding this.
Have you tried removing the network from the list of saved wifi networks on the iPad and adding it again after enabling ft?
'Adaptive' 802.11r appears to be a proprietary behaviour implemented to accomodate clients which get confused by 802.11r. The iPad should not require it.

I opened a support ticket for it SUP-113114, yes of course I tested to remove the network from the saved network list, but it didn’t help.

Regards,

volkirik · Mon Apr 10, 2023 8:21 pm

i suggest setting default (factory) value of SIP TIMEOUT to 3 minutes (by default). hope we can see it in next releases.

Most routers use 3 minutes udp session timeout. when SIP timeout is higher than 3 minutes, keep alive packets or reconnections will not happen. and this will make your phone number unavailable.

tbh 10 seconds value will work even better if you add connection tracking timeout to SIP ALG. for example, i want SIP connection to stay in connection tracking table for 1 hours, and set sip timeout to 10 seconds so devices will send keepalive/invite etc each and every ten seconds.

thanks for reading , regards

nevermind. setting 10 minutes for tcp-established and sip-timeout works just fine. I guess the problem was with longer timeouts.

Rox169 · Mon Apr 10, 2023 10:07 pm

7.9rc2 working on ax2 without any issue

loloski · Tue Apr 11, 2023 1:50 am

No, it needs to be specified that particular config is for non-AX devices.
And then a note indicating order of interfaces is swapped for AX.

Or the other way around.

But not simply change because then it will be wrong for AC3, Audience, ...

Still puzzles me why they changed that order. Much easier to keep it the same.

I agree

rolling · Tue Apr 11, 2023 8:27 am

Hi,

tool ip-scan not work on 7.9

regards.

Ullinator · Tue Apr 11, 2023 10:28 am

Hi,

tool ip-scan not work on 7.9

regards.

Confirmed :-/

kreb · Tue Apr 11, 2023 5:51 pm

Confirmed 7.9rc2. ccr2116

dang21000 · Wed Apr 12, 2023 9:30 am

7.9rc2 working on ax2 without any issue

Hi.

For me, FastTrack counters stay at zero on hap_ax3. Since 7.8.
On a rb2011 everything is OK with a similar config.

Joe1vm · Wed Apr 12, 2023 8:40 pm

2x hap ax2 + hap ax3 working as caps connected via Cisco switch to 5009 acting as main router and capsman.
Both hap ax2 randomly disconnect from capsman. Sometimes they reconnect by itself, sometimes the reboot is needed. Some mobile phones are dropped randomly with password requirement for reconnection or wifi disable/enable step. Both of them powered via POE. Sometimes the port 1 flips and reduce the rate from 1G to 100M. Hap ax3 with the same confign does not act like that.
No similar issue was observed with 7.8. So, downgraded back to 7.8.

coddy · Thu Apr 13, 2023 1:03 am

CAPsMAN AX3/Audience issues with 7.9RC1 and 7.9RC2

Dynamic binding of datapath to bridge port not working on remote Hap AX3 devices

Dynamic binding of datapath to bridge port works on Hap AX3 device if it is also acting as the CAPsMAN

Updating CAPsMAN wifi profiles results in remote APs re-creating their wifi interfaces names with next available number. Resulting in manual wifi->bridgeport bindings being lost

Audience does not support vlan assignment for WiFi, resulting in it not being able to participate in the CAPsMAN configuration.

Incorrect password [Using WPA2] occurs after a period of time across multiple devices (Samsung Phones/Win11 etc), only resolved by rebooting APs

Longer version
Hap AX3 has issues with 7.9rc1&rc2 with capsman. Datapath fails to dynamically add to bridge on remote APs, and comms go nowhere unless the wifi interface is manually added to the bridge port, and bridges uplink (trunk) port is set to disable hardware offloading. Manually bridging wifi/virtual ap to bridge creates issues also. If the CAPsMAN configuration is updated, the remote CAPs will re-create their wifi interface names using the next available wifi numbers. This means you have to go back and add the new interface names to the bridge. Rebooting the remote CAP will result in it getting its original wifi names, and the bridge ports working again. => Dynamic bridge port assignment not working on remote CAPs, If CAPsMAN is running on an AP, that AP will work with dynamic binding.

I also have the problem of 'incorrect password' after a period of time. Phones (Samsung) and Laptop (Win11) all show disconnected with invalid password. Re-entering the credentials (WPA2) does not correct the problem. Only solution is to reboot the CAPsMAN AP and then the remote APs. Once done, systems can re-connect (Win11 automatically, Samsung Phone you have to tap the SSID in the WiFi list and then it will attempt to re-connect).

I also have an Audience, and the firmware does not support vlan assignment on it. Hence it cannot be part of the CAPsMAN network at present.

So, in summary: 7.9rc2 lack of dynamic datapath bridge binding makes CAPsMAN unworkable (Any changes to CAPsMAN config result in remote APs regenerating their interface names and hence no longer being bridged to the network). 'Incorrect password' issue after a period of time, with a reboot of APs being the only solution.

I bit of work is needed before I can have a stable WiFi with FT roaming across AX3 unfortunately. I do not know if Mikrotik will ever support vlan assignment on the Audience, and I may have to drop it from the network (If it can't be managed by CAPsMAN it cannot participate in FT roaming).

ofca · Thu Apr 13, 2023 5:30 am

How's L3HW support for VXLAN encapsulation coming? I'd like to bridge VLAN to VXLAN at wirespeed on CRS317-1G-16S+. Hardware supports it, "wen software sirs?" ;)

massinia · Thu Apr 13, 2023 9:47 am

Longer version
Hap AX3 has issues with 7.9rc1&rc2 with capsman. Datapath fails to dynamically add to bridge on remote APs, and comms go nowhere unless the wifi interface is manually added to the bridge port, and bridges uplink (trunk) port is set to disable hardware offloading. Manually bridging wifi/virtual ap to bridge creates issues also. If the CAPsMAN configuration is updated, the remote CAPs will re-create their wifi interface names using the next available wifi numbers. This means you have to go back and add the new interface names to the bridge. Rebooting the remote CAP will result in it getting its original wifi names, and the bridge ports working again. => Dynamic bridge port assignment not working on remote CAPs, If CAPsMAN is running on an AP, that AP will work with dynamic binding.

I also have the problem of 'incorrect password' after a period of time. Phones (Samsung) and Laptop (Win11) all show disconnected with invalid password. Re-entering the credentials (WPA2) does not correct the problem. Only solution is to reboot the CAPsMAN AP and then the remote APs. Once done, systems can re-connect (Win11 automatically, Samsung Phone you have to tap the SSID in the WiFi list and then it will attempt to re-connect).

I also have an Audience, and the firmware does not support vlan assignment on it. Hence it cannot be part of the CAPsMAN network at present.

So, in summary: 7.9rc2 lack of dynamic datapath bridge binding makes CAPsMAN unworkable (Any changes to CAPsMAN config result in remote APs regenerating their interface names and hence no longer being bridged to the network). 'Incorrect password' issue after a period of time, with a reboot of APs being the only solution.

I bit of work is needed before I can have a stable WiFi with FT roaming across AX3 unfortunately. I do not know if Mikrotik will ever support vlan assignment on the Audience, and I may have to drop it from the network (If it can't be managed by CAPsMAN it cannot participate in FT roaming).

I have none of your problems, I have one hAP ax3 and two hAP ax2 with capsman which work perfectly.
You probably misconfigured capsman wave 2, I don't use dynamic interfaces for wifi.

Thu Apr 13, 2023 10:01 am

If you truly want to use capsman and caps as intended, dynamic interfaces should be possible, including vlan.
I had a similar problem with a test setup, support told me this will be fixed in next version.

Thu Apr 13, 2023 10:35 am

What's new in 7.9rc3 (2023-Apr-12 15:53):

*) tools - fixed "ip-scan" (introduced in v7.9beta4);
*) user-manager - fixed process startup after booting (introduced in v7.9beta4);

rextended · Thu Apr 13, 2023 10:42 am

This?

Please also fix the missing password parameter on /user ssh-keys private import private-key-file=xxx user=xxx
Someone lost it along the way

rextended · Thu Apr 13, 2023 10:42 am

And this?

Already know, already reported from me two times on another two rotueros version, and the exact procedure for fix that error, never fixed.

Then I broke down to rewrite it every time, they didn't care anyway.

On 7.5
viewtopic.php?p=955204#p955204

On 7.6
viewtopic.php?p=962556#p962762

But the MikroTik Staff never gave a damn about it.

coddy · Thu Apr 13, 2023 10:58 am

I have none of your problems, I have one hAP ax3 and two hAP ax2 with capsman which work perfectly.
You probably misconfigured capsman wave 2, I don't use dynamic interfaces for wifi.

CAPsMAN is "meant" to use dynamic binding, so that you do not need to configure static bridge port bindings on each remote CAP. Support has looked at the configuration, stated that dynamic binding will not work (will be fixed, hopefully in the 7.9 release). Also suggested how to setup static binding. I can only surmise that you are using static binding on your AX devices (i.e. Manually bridging the wifi interface to the required bridge/vlan). I also have multiple SSIDs to broadcast (so virtual APs).

As for the incorrect password problem, it started happening at RC2 I think. What version of Mikrotik OS are you using for your setup, and what authentication mechanism are you using (WPA2, WPA3, 802.1x....), and reading other threads I am not alone with that problem.

tpedko · Thu Apr 13, 2023 11:27 am

What's new in 7.9rc3 (2023-Apr-12 15:53):

*) tools - fixed "ip-scan" (introduced in v7.9beta4);
*) user-manager - fixed process startup after booting (introduced in v7.9beta4);

Are you seriously?
containers are broken, but there is no fix.
importing remote image: adguard/adguardhome, tag: latest
was unable to import, container 71e2cc5c-abf7-415c-b63a-45036240aa61

Thu Apr 13, 2023 11:37 am

Rc versions almost always will include fixes for problems introduced in a particular release tree. That is the whole point of "release-candidate". Once rc1 is released, then other releases will be further attempts to stabilize the version before the "stable" release. Other new fixes will be included in the next version "beta" releases.

dynek · Thu Apr 13, 2023 12:44 pm

Is there a way to investigate further what's happening being the scenes with containers via logging ?
e.g. viewtopic.php?p=993606

They seem to be there for quite a while now, but my first attempt to use them is so, so.

Thu Apr 13, 2023 12:49 pm

Are you seriously?
containers are broken, but there is no fix.
importing remote image: adguard/adguardhome, tag: latest
was unable to import, container 71e2cc5c-abf7-415c-b63a-45036240aa61

not "containers", but particular ones imported that are OCI schema based. This is due to change in dockerhub.
Multiple workarounds are already posted in forums, proper "fix" will come with next beta version.

@dynek

as in any other RouterOS menu - items has to be printed before they can be accessed by using their list number.

tpedko · Thu Apr 13, 2023 1:39 pm

not "containers", but particular ones imported that are OCI schema based. This is due to change in dockerhub.
Multiple workarounds are already posted in forums, proper "fix" will come with next beta version.

this problem was already in 7.8beta, why not fix it in 7.9beta?

Thu Apr 13, 2023 1:47 pm

This is due to change in dockerhub.

…and a good one, since it means we're moving toward a world of standards-based container tech, which will help break Docker, Inc's hold on this key technology.

The day RouterOS goes fully OCI-compliant will be a great day.

Multiple workarounds are already posted in forums

My favorite isn't here anywhere — it's on my site — so I'll repeat it here, having no better place to put it: download the image as a tarball and run it through skopeo to "normalize" the format. You can then upload that fixed-up tarball to the router.

$ docker pull adguard-home:latest
$ docker save adguard/adguardhome:latest -o agh-broken.tar
$ brew install skopeo         # or apt, or dnf, or…
$ skopeo copy docker-archive:agh-broken.tar docker-archive:agh-fixed.tar
$ scp agh-fixed.tar myrouter:
$ ssh myrouter
> /container/add file=agh-fixed.tar interface=veth1 …plus any other parameters that please you

If the provenance of the skopeo tool worries you, be assured that it comes from Red Hat's Podman project, one of the leaders in this OCI movement. You can use their "podman" CLI tool in place of "docker" in the commands above, if you prefer.

dynek · Thu Apr 13, 2023 1:56 pm

as in any other RouterOS menu - items has to be printed before they can be accessed by using their list number.

Fair enough I didn't know this yet.
What about the other things (shell not terminating & simple hello world not always running ?)

Thu Apr 13, 2023 2:35 pm

@dynek we found what is causing this and we will try to address this in upcoming versions.

donkeyKong · Thu Apr 13, 2023 3:07 pm

On 7.9rc3, with a CCR2004 it is not receiving ICMPv6 RA (Router Advertisements). Downgrading to 7.8 fixed the issue.

Thu Apr 13, 2023 7:35 pm

tpedko - If we push all of the possible fixes in every release, then we will never reach a "stable" release. We do, at some point when we consider all of the new features quite stable, build an RC version. Then rc1 is released. After that only fixes that polish particular release tree are included. All others are included only in the next release. If we would include all of the possible fixes in every release, then any version would be a beta version. The fix that you refer to was prepared only after rc1 release.

OvcaX · Thu Apr 13, 2023 8:18 pm

Let’s be honest. Ros7 is still beta, even in stable branch

Rox169 · Thu Apr 13, 2023 9:46 pm

OvcaX you must understand it when you have 8 posts..... :)

actck · Fri Apr 14, 2023 4:47 am

Stop making excuses about your ridiculous branch management. Do you think our group of engineers has never seen formal version management? Or rename your stable channel to beta channel. It doesn't deserve to be called stable

Rox169 · Fri Apr 14, 2023 5:34 am

Actck you must understand it when you have 2 posts..... :)

Fri Apr 14, 2023 9:40 am

actck what is not stable for you specifically? you must undestand this is a highly technical user forum. 99.9% of RouterOS users will never see any of the issues in this topic

fakeusername2022 · Fri Apr 14, 2023 9:43 am

There is a bug with Radius Server and User Manager causes Radius Timeout error for clients trying to connect.

seems to be solved with RC4
*) user-manager - fixed process startup after booting (introduced in v7.9beta4);

LynxChaus · Fri Apr 14, 2023 10:18 am

What's new in 7.9rc2 (2023-Apr-05 13:56):

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);

mtxrInterfaceStats SNMP subtree now shows some wild values for interfaces:

MIKROTIK-MIB::mtxrInterfaceStatsRxBroadcast.1 = Counter64: 57407172828463104
MIKROTIK-MIB::mtxrInterfaceStatsRxBroadcast.2 = Counter64: 28725071988129792
MIKROTIK-MIB::mtxrInterfaceStatsRxPause.1 = Counter64: 13366149
MIKROTIK-MIB::mtxrInterfaceStatsRxPause.2 = Counter64: 6688077
MIKROTIK-MIB::mtxrInterfaceStatsRxMulticast.1 = Counter64: 209053238165504
MIKROTIK-MIB::mtxrInterfaceStatsRxMulticast.2 = Counter64: 7706661682675712
MIKROTIK-MIB::mtxrInterfaceStatsRxFCSError.1 = Counter64: 48674
MIKROTIK-MIB::mtxrInterfaceStatsRxFCSError.2 = Counter64: 1794347
MIKROTIK-MIB::mtxrInterfaceStatsRxAlignError.1 = Counter64: 161838662680576
MIKROTIK-MIB::mtxrInterfaceStatsRxAlignError.2 = Counter64: 244851790577664
MIKROTIK-MIB::mtxrInterfaceStatsTxExcessiveCollision.1 = Counter64: 1679
MIKROTIK-MIB::mtxrInterfaceStatsTxExcessiveCollision.2 = Counter64: 25998
MIKROTIK-MIB::mtxrInterfaceStatsTxMultipleCollision.1 = Counter64: 22605
MIKROTIK-MIB::mtxrInterfaceStatsTxMultipleCollision.2 = Counter64: 9449
MIKROTIK-MIB::mtxrInterfaceStatsTxSingleCollision.1 = Counter64: 5102
MIKROTIK-MIB::mtxrInterfaceStatsTxSingleCollision.2 = Counter64: 18099
MIKROTIK-MIB::mtxrInterfaceStatsTxExcessiveDeferred.1 = Counter64: 1402
MIKROTIK-MIB::mtxrInterfaceStatsTxExcessiveDeferred.2 = Counter64: 3429
MIKROTIK-MIB::mtxrInterfaceStatsTxDeferred.1 = Counter64: 475
MIKROTIK-MIB::mtxrInterfaceStatsTxDeferred.2 = Counter64: 34
MIKROTIK-MIB::mtxrInterfaceStatsTxLateCollision.1 = Counter64: 6303
MIKROTIK-MIB::mtxrInterfaceStatsTxLateCollision.2 = Counter64: 2

All interfaces stay on 1000 Tx-Full, where it found Collisions over 1Gbps links??

kalamaja · Fri Apr 14, 2023 10:29 am

PROBLEM: hAP AX lite with both 7.8 and 7.9rc3: without wifiwave2 package (due to user error) installed, Reset Configuration via button or GUI ends up with NO configuraton. User must know he must access router using winbox+MACaddress+ethernet and install wifiwave2 from extras package, otherwise it's bricked for him without reasonable way to restore.

Story: hAP AX lite comes with 7.6. Upgraded via downloaded 7.8 main package because no access to ethernet for it and didn't even have a look on installed packages list. After that noticed that wifi doesn't come up, so suspecting unhappy upgrade, did a reset configuration via button and it went even worse. Organized access to ethernet, luckily I also knew how to reach router via winbox+MACaddress and figured out that it MIGHT be caused by wifiwave2 is missing from extras. After installation of wifiwave2 Reset Configuration went back to normal again.

Fri Apr 14, 2023 10:43 am

That's a triple error.
Manual upgrade instead of normal upgrade process, not taking into account all packages and then pressing reset.
Will normally not happen for a "normal" user :lol:

Fri Apr 14, 2023 11:28 am

kalamaja, just use check for updates. it is there for beginners, so situations like this are avoided. manual uploading of files should not be done anymore, unless you are a seasoned professional and part of this forum

kalamaja · Fri Apr 14, 2023 12:30 pm

kalamaja, just use check for updates. it is there for beginners, so situations like this are avoided. manual uploading of files should not be done anymore, unless you are a seasoned professional and part of this forum :)

Point of the problem is that accidentally partial offline upgrade removes wifiwave2 package and this makes Reset Configuration act wrong. Expected result would be that even without wifiwave2 package, after Reset Configuration router gets default configuration, but without wireless functionality.

volkirik · Fri Apr 14, 2023 1:20 pm

set factory default of SIP timeout to its default : 3 minutes.

anything above that hurts.

whatever · Fri Apr 14, 2023 2:16 pm

ipv6 fasttrack support please

This feature would be nice to mitigate the removed route cache when upgrading from ROS 6.

nonolk · Fri Apr 14, 2023 5:06 pm

CAPsMAN AX3/Audience issues with 7.9RC1 and 7.9RC2

Incorrect password [Using WPA2] occurs after a period of time across multiple devices (Samsung Phones/Win11 etc), only resolved by rebooting APs[/

I also have the problem of 'incorrect password' after a period of time. Phones (Samsung) and Laptop (Win11) all show disconnected with invalid password. Re-entering the credentials (WPA2) does not correct the problem. Only solution is to reboot the CAPsMAN AP and then the remote APs. Once done, systems can re-connect (Win11 automatically, Samsung Phone you have to tap the SSID in the WiFi list and then it will attempt to re-connect).

I'm facing the same issue on an HAP Ax2, it's only appearing using v7.9 from beta till rc2 (didn't test rc3 until now). I'm using static wifi interfaces with vlans. Do you need a support ticket for this issue ?

Fri Apr 14, 2023 5:17 pm

See post 117 and 121 above.
It will be fixed in a later version.

nonolk · Fri Apr 14, 2023 5:30 pm

See post 117 and 121 above.
It will be fixed in a later version.

But the post you are referring to, are about dynamic interface/bridge, not about authentication issues, like stated in posts 114, 97 and 95.

So for me it's not the same issue, or I'm wrong ?

Fri Apr 14, 2023 6:15 pm

Ah, but your response did not specify what part of the complete quote you made was your problem (the usual problem with complete quotes and not clarifying...).
Using static wifi interfaces and VLANs, I had it working.
Using dynamic interfaces and VLANs as well but with a workaround which required completely disabling VLAN handling on the AP-bridge which kind of negates the way I want to use it. So I stopped that experiment until the proper fix comes out.
Working means for me also authentication was functioning.

nonolk · Fri Apr 14, 2023 8:09 pm

You’re right, therefore I edited the post with just the useful information.

coddy · Fri Apr 14, 2023 9:24 pm

@nonolk: I don't have a SUP for the "incorrect password" problem, I don't have a handle on it yet.

I created a sup for the dynamic binding/vlan problems, and was informed it will be fixed (hopefully 7.9 final, but that may be too optimistic).

I don't know at this stage if the password problem is caused by FT=yes, I know it takes a long time to appear. There are some key timeouts in the FT section notably ft-r0-key-lifetime which defaults to 600000s (~7 days). I might change that down to less than a day and see if the problem occurs more frequently.... Just I have to reboot all the APs after the config change because the static bindings will be lost (such a pain).

Update: Changed ft-r0-key-lifetime to 300s and could not get failure (under RC3). So probably nothing to do with FT. Will see if problem re-occurs under RC3+.

Ullinator · Sat Apr 15, 2023 5:27 pm

*) wifiwave2 - automatically add a VLAN-tagged interface to the appropriate bridge VLAN;
I use a CHR as CAPsMANv3 with 7.9RC3 and a hAP AX2 as CAP with 3 SSID´s, two of them with VLAN tag (Guest and IoT).
But in none of my configs (I´ve tried several onces) the automatically add VLAN-tagged interface to the appropriate bridge VLAN is working.
Even the VLAN tag is missing in the CAP bridge wifi interfaces although it´s shown in the CAPsMAN:

hc_299.jpg

No VLAN tag on the bridge interfaces:

hc_301.jpg

And the dynamic created interfaces are shown in the bridge only if I add "dynamic" manually to the bridge.

td32 · Sat Apr 15, 2023 7:27 pm

got my hands on hap ax3

first issue with wifiwave2, device can't connect with wpa2-psk ccmp while it worked fine with ros 6.x on hap ac same config.

i keep getting in the logs a loop of the following lines :

MAC_ADDR@wifi1 connected, signal strength -44
MAC_ADDR@@wifi1 reauthenticating
MAC_ADDR@@wifi1 reauthenticating
MAC_ADDR@@wifi1 connected, but was associated
MAC_ADDR@@wifi1 disconnected, key handshake timeout, signal strength -44
loops the above logs

[Some_User@MikroTik] > /interface/wifiwave2/actual-configuration print
 0 name="wifi1" mac-address=MAC-ADDR arp-timeout=auto radio-mac=MAC-ADDR 
   configuration.mode=ap .ssid="Some_SSID" .country=Some_Country
   security.authentication-types=wpa2-psk .encryption=ccmp .passphrase="Some-PASS" .disable-pmkid=yes 
   channel.frequency=5180 .band=5ghz-n .width=20mhz .skip-dfs-channels=all

on the client android tablet sometimes it says wrong password

I can connect only by downgrading to wpa-psk

Amm0 · Sat Apr 15, 2023 8:12 pm

Code: Select all
.band=5ghz-n 

Not saying it shouldn't work, per se. But any reason to change the band? e.g. the default, .band=5ghz-ax

Sat Apr 15, 2023 8:13 pm

Doesn't make sense with an ax device, indeed.

td32 · Sat Apr 15, 2023 8:27 pm

Code: Select all
.band=5ghz-n 
Not saying it shouldn't work, per se. But any reason to change the band? e.g. the default, .band=5ghz-ax

same issue with ax or any other band. Was set to n to replicate the known working config of the hap ac on ros 6.x
Have tried every combination possible but the only working solution it to downgrade to wpa-psk!.

Amm0 · Sat Apr 15, 2023 8:29 pm

Does it happen in stable v7.8?
Now...there is a lot of functionality that's missing in wifiwave2...so very well may not work in v7.8.

td32 · Sat Apr 15, 2023 8:37 pm

Does it happen in stable v7.8?
Now...there is a lot of functionality that's missing in wifiwave2...so very well may not work in v7.8.

same issue with the same exact log output *disconnected, key handshake timeout*

Sat Apr 15, 2023 9:07 pm

What if you disable ccmp ?

Just checked, I don't have it enabled on my setup (wpa-psk2 and psk3).

mkx · Sat Apr 15, 2023 9:23 pm

CCMP is standard WPA2 encryption algorithm ... part of AES from WPA2. WPA3 added other algorithms, hence it's now shown explicitly in wave2 setup. I guess it's used if nothing is configured explicitly, in which case removal of this option won't make any difference.

https://en.m.wikipedia.org/wiki/CCMP_(cryptography)

td32 · Sat Apr 15, 2023 9:26 pm

What if you disable ccmp ?

Just checked, I don't have it enabled on my setup (wpa-psk2 and psk3).

Same issue. Only by enabling wpa-psk it connects immediately ...
it must be some missing implementation on wifiwave2 since this device worked fine with wpa2-psk on ros 6.x

Sat Apr 15, 2023 9:28 pm

Doesn't hurt to try, You never know if it's yet another bug.

And close the section with the encryptions, don't leave it open with nothing selected.

LynxChaus · Sun Apr 16, 2023 3:42 pm

ip route check-gateway=arp is broken too. It sends ICMP ping instead of ARP request.

easyswiss · Sun Apr 16, 2023 5:28 pm

Paste scripts in Winbox terminal does not work. If you paste script with SSH, it works.
Also checked with 7.8. No idea how long this bug exists. Last time checked in 6.48

Reconstruction:
Paste the following script to winbox or to SSH

:global sqrt do={
  :for i from=0 to=$1 do={
    :if (i * i > $1) do={ :return ($i - 1) }
  }
}

:global addNatRules do={
  /ip firewall nat add chain=srcnat action=jump jump-target=xxx \
    src-address="$($srcStart)-$($srcStart + $count - 1)"

  :local x [$sqrt $count]
  :local y $x
  :if ($x * $x = $count) do={ :set y ($x + 1) }
  :for i from=0 to=$x do={
    /ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
     src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
  }

  :for i from=0 to=($count - 1) do={
    :local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
  }
}

Winbox Terminal -> Error
SSH -> Works

Code source: https://wiki.mikrotik.com/wiki/Manual:I ... _or_NAT444

eworm · Sun Apr 16, 2023 6:13 pm

I guess this is due to line endings. Try to end all commands with a semicolon to avoid this.

(Yes, some people here are against ending commands with semicolon... But there are good reasons to use them.)

As an alternative you can make sure to save the file with Windows line endings (not just line break, but also carriage return).

Would be nice if Winbox could work with Unix line endings in terminals as well. Fun fact: Winbox with Wine works as expected. 😝

rextended · Sun Apr 16, 2023 11:30 pm

Just tested on 6.48.6 and 7.8 on Winbox terminal: no errors.

And if you have error, where is the screenshot?

coddy · Mon Apr 17, 2023 1:01 am

@Ullinator see my post #114, dynamic port binding does not work in AX models at present.
If you want to get it to work you have to manually bind the wifi interface to the bridge using the correct vlan-id. Here's hoping Mikrotik get this sorted soon, they have an AX CAP device in production now, I am sure they need the firmware to support it. The current workarounds are not supportable at scale.

loloski · Mon Apr 17, 2023 4:14 am

Winbox Terminal -> Error
SSH -> Works

reproduce in ros v7.7

I can reproduce this copy and paste error in windows 11 the script is being copy from notepad, i used notepad++ as a workaround

Amm0 · Mon Apr 17, 2023 5:20 am

*) rose-storage - various stability fixes;

Likely worth mentioning specifically... but ROSE now seems to mount SMB in MacOS 13.3 in v7.9rc. That was not working in v7.8. Thanks!

Mon Apr 17, 2023 8:21 am

I use a CHR as CAPsMANv3 with 7.9RC3 and a hAP AX2 as CAP with 3 SSID´s, two of them with VLAN tag (Guest and IoT).
But in none of my configs (I´ve tried several onces) the automatically add VLAN-tagged interface to the appropriate bridge VLAN is working.

The wifi interface is only automatically added to the appropriate bridge VLAN, when datapath.vlan-id is configured on the cAP.
We are yet to implement this functionality when datapath.vlan-id is only configured on the CAPsMAN.

Mon Apr 17, 2023 8:23 am

device can't connect with wpa2-psk ccmp while it worked fine with ros 6.x on hap ac same config.

Does the issue persist if you set security.disable-pmkid to 'no'?
If so, please open a support ticket regarding this.

Ullinator · Mon Apr 17, 2023 6:00 pm

I use a CHR as CAPsMANv3 with 7.9RC3 and a hAP AX2 as CAP with 3 SSID´s, two of them with VLAN tag (Guest and IoT).
But in none of my configs (I´ve tried several onces) the automatically add VLAN-tagged interface to the appropriate bridge VLAN is working.
The wifi interface is only automatically added to the appropriate bridge VLAN, when datapath.vlan-id is configured on the cAP.
We are yet to implement this functionality when datapath.vlan-id is only configured on the CAPsMAN.

Hi FToms, the VLANs ARE added to the bridge:

hc_512.jpg

but I can´t change the VLAN ID in a dynamic interface:

hc_513.jpg

How should it work in your opinion?

Mon Apr 17, 2023 7:53 pm

Disable vlan bridging on ap bridge.
That's how it worked for me after feedback from support.

td32 · Mon Apr 17, 2023 11:09 pm

device can't connect with wpa2-psk ccmp while it worked fine with ros 6.x on hap ac same config.
Does the issue persist if you set security.disable-pmkid to 'no'?
If so, please open a support ticket regarding this.

Yes same issue with or without disable-pmkid set.
Will open a ticket.

iain · Tue Apr 18, 2023 2:31 am

The fan control settings don't seem to do anything. I set a minimum fan percentage on my CCR2116-12G-4S+ (which I've upgraded to use PWM fans) but they still just stop when the temp goes a bit below 58 and then spin up loud again when it goes a few degrees over. I wonder if just swapping out the fans is enough to get the board to realise that it has pwm fans

moojp · Tue Apr 18, 2023 7:00 am

The fan control settings don't seem to do anything.

On my CCR2116 with Noctua PWM fans.
I have confirmed that there are some levels of rpm.
0% = 0～3000 rpm (automatic?)
20% = 0～3000 rpm (same to above?)
40% = 3000～3500 rpm
60% = 4000～4500 rpm
100％ = 4700～5000 rpm

alibloke · Tue Apr 18, 2023 9:49 am

Disable vlan bridging on ap bridge.
That's how it worked for me after feedback from support.

Not quite following you, can you elaborate a little?

Tue Apr 18, 2023 9:52 am

Apologies, bad wording from my side.
On AP device, disable VLAN filtering.
Winbox / Bridge / tab VLAN, uncheck VLAN Filtering.
This worked for me.

But I disabled that workaround and usage of capsman2 and will wait for a next version where this is implemented properly.

Ullinator · Tue Apr 18, 2023 10:26 am

Apologies, bad wording from my side.
On AP device, disable VLAN filtering.
Winbox / Bridge / tab VLAN, uncheck VLAN Filtering.
This worked for me.

But I disabled that workaround and usage of capsman2 and will wait for a next version where this is implemented properly.

Hi holvoetn,
thank you very much! It´s totally strange, but it works now :-)
I have no idea how, but it does!

hc_514.jpg

"OS2WG AX Gast" is VLAN99 in my network and the client get´s the right IP, although the VLAN is not filtered on the CAP, really strange!

onion83 · Tue Apr 18, 2023 7:08 pm

2.5Gbps Fixed rate on GPON SFP (Huawei MA5671A) works but PPPoE Scan is not working (shows no entries) was working on 7.7 stable on RB5009.

7.9rc3 still not work :(

onion83 · Tue Apr 18, 2023 7:20 pm

IPv6 NAT "custom route table" or "Policy routing" still not working. see viewtopic.php?t=190002 [SOLVED]

iain · Tue Apr 18, 2023 11:07 pm

The fan control settings don't seem to do anything.
On my CCR2116 with Noctua PWM fans.
I have confirmed that there are some levels of rpm.
0% = 0～3000 rpm (automatic?)
20% = 0～3000 rpm (same to above?)
40% = 3000～3500 rpm
60% = 4000～4500 rpm
100％ = 4700～5000 rpm

Yeah, I don't know if the fan controller has some static RPM -> PWM% mapping, but I got some 250-6000 RPM fans and they don't really behave as I would expect them to. The change in RPM is not linear with the temperature target at all and the fan behaviour is very similar to how it was with non PWM fans with the RPM jumping from ~2.7k RPM to 5k RPM when the temp hits 59 (default target of 58). I tried setting a min fan speed percent of 10% and the fans turned off at around 55 degrees. I now have the min fan speed at 40% and they seem to be staying on at 2.7kish.

fakeusername2022 · Thu Apr 20, 2023 9:48 pm

Any idea if Mikrotik will add support of TLS v1.3 to the SSTP server/client?!

Network5 · Fri Apr 21, 2023 11:50 am

IMPORT/EXPORT note:
When trying to import in 7.9rc3 the configuration from 7.8 there could be a syntax problem on /routing/bgp/vpn, the command line gets discarded.

/routing bgp vpn
add disabled=yes export-route-targets=xxx:1004 import-route-targets=xxx:1005 label-allocation-policy=per-vrf redistribute=connected route-distinguisher=xxx:1004 vrf=vrf-MPLS_TEST

In 7.9 some parameters seems changed (import., export.) and redistribute is missing from the parameters list:

/routing bgp vpn
add disabled=yes export.route-targets=xxx:1004 import.route-targets=xxx:1005 label-allocation-policy=per-vrf route-distinguisher=xxx:1004 vrf=vrf-MPLS_TEST

Fri Apr 21, 2023 11:59 am

redistribute is not missing, it is named export.redistribute

jhbarrantes · Sat Apr 22, 2023 9:29 pm

Is anyone haivng wireles issues with a hAP-ax3 and the last 7.9rc3? Wireless interfaces suddenly went down with no aparent reason or error on logs (both, not only 5Ghz, so it is not a DFS issue). The only particular thing of this equipment is that is setup with VLAN filtering (couple of vlans coming from ether1 and redristribute it in two wirless interfaces). When login into winbox, wifi interfaces looks fine, but all clients has been disconnected and SSID is not anounced. When reverting back to 7.8, issue seems to dissapear.

Thanks!

2dfx · Sat Apr 22, 2023 11:37 pm

Pls add in PPP attribute Address-List over RADIUS Auth.
In MikroTik Specific RADIUS Attribute Numeric Values:
Mikrotik-Address-List 14988 (Mikrotik) 19 string
But it didn`t work.

PS Mikrotik-Group 14988 (Mikrotik) 3 string - work fine!

Kaldek · Sun Apr 23, 2023 12:51 am

Looks like the DHCP options sequencing issue that broke Google Nest Doorbells has been reintroduced in 7.9. Please resolve!

bpwl · Sun Apr 23, 2023 12:22 pm

Disable VLAN filtering, or add the tagged VLAN needed to the wifiwave port ?

viewtopic.php?t=195600#p997933

Kaldek · Mon Apr 24, 2023 4:01 am

Looks like the DHCP options sequencing issue that broke Google Nest Doorbells has been reintroduced in 7.9. Please resolve!

Confirmed this is indeed broken. DHCP failing for a multitude of devices in my environment with the "DHCP offering lease without success" log messages. It's happening to a multitude of devices, notably:

Google Nest Doorbell
enphase envoy Solar controller
All my Tasmota devices running Tasmota 12.4.x

Kraken2k · Mon Apr 24, 2023 1:59 pm

Any idea if Mikrotik will add support of TLS v1.3 to the SSTP server/client?!

I'm wondering about the same thing. Could supporting only old and obsolete cipher suites for SSTP be considered as a bug? Probably not :(

leonardogyn · Mon Apr 24, 2023 6:34 pm

No, it has not been fixed. Instant crashes due to high CPU utilization.

I'm also facing problems with OpenVPN on 7.8, and i really don't believe it's being triggered by high CPU usage. I'm facing that on a CCR1009 which barely exceeds 7-8%, so there's really a lot of spare CPU time and, even then, the problem is happening, just as described on several posts on the 7.8 release. Openvpn interface shows connected but doesn't flow traffic. Restarting the interface doesn't solve the problem, only rebooting the routerboard seems to solve it.

Haven't tried 7.9rc on the places i'm facing the problem, but not good hearing it's not fixed :(

peich1 · Mon Apr 24, 2023 11:13 pm

No, it has not been fixed. Instant crashes due to high CPU utilization.
I'm also facing problems with OpenVPN on 7.8, and i really don't believe it's being triggered by high CPU usage. I'm facing that on a CCR1009 which barely exceeds 7-8%, so there's really a lot of spare CPU time and, even then, the problem is happening, just as described on several posts on the 7.8 release. Openvpn interface shows connected but doesn't flow traffic. Restarting the interface doesn't solve the problem, only rebooting the routerboard seems to solve it.

Haven't tried 7.9rc on the places i'm facing the problem, but not good hearing it's not fixed :(

The problem happens when a tunnel gets incorrectly disconnected (because the internet connection drops off or whatever reason). The router is not capable of killing the connection (that's why you see the interface still as "connected") and you cannot kill it either. A new dynamic interface is created but the old connection uses a full core from the CPU and, after some variable time, the router gets restarted.

Still no solution for this, and it seems neither for short or medium-term...

Rox169 · Tue Apr 25, 2023 2:47 pm

MT, where is STABLE version? Long time and nothing happend :)

Larsa · Tue Apr 25, 2023 2:59 pm

Have you checked the amount of changes in the current thread? It's been less than 2 weeks (April 12) since rc3 was released...

Rox169 · Tue Apr 25, 2023 3:47 pm

Im just kidding....... :) but there must be something...it takes suspecially long :) 15 days in one RC is suspected...

What's new in 7.9rc3 (2023-Apr-12 15:53):

Changes in this release:

*) tools - fixed "ip-scan" (introduced in v7.9beta4);
*) user-manager - fixed process startup after booting (introduced in v7.9beta4);

What's new in 7.9rc2 (2023-Apr-05 13:56):

Changes in this release:

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) wifiwave2 - fixed group key update for VLAN-tagged clients (introduced in v7.9beta4);

What's new in 7.9rc1 (2023-Mar-30 16:42):

Larsa · Tue Apr 25, 2023 3:55 pm

IMO, better they test it properly than the usual "stable" releases that sometimes were full of issues. Is there something in particular that isn't working that you're waiting for?

Tue Apr 25, 2023 3:57 pm

What's new in 7.9rc4 (2023-Apr-24 16:34):

*) defconf - added CAPs mode script for wifiwave2 devices;
*) ovpn - improved system stability for Tile devices;
*) snmp - fixed several OIDs that were returning incorrect values (introduced in v7.9beta4);
*) snmp - fixed SNMPv3 "Reportable" flag behavior;
*) ssh - fixed SSH host key export (introduced in v7.9beta4);
*) switch - improved system stability during rapid MAC flapping for 98DXxxxx switches;
*) vxlan - improved system stability when printing FDB table (introduced in v7.9beta4);
*) webfig - fixed bogus comment for dynamic routes (introduced in v7.9beta4);
*) wifiwave2 - fixed WPS connectivity issues on 802.11ax APs (introduced in v7.9beta4);
*) wifiwave2 - improved WPS connection speed;

Rox169 · Tue Apr 25, 2023 4:00 pm

I fully agree...to test stable version properly not like few months ago... I'm waiting for version 7.10 :) there should be fix for 60Ghz device and fix for samba v1 to be able use with hikvison camera... Here we are another RCv4 :)

Tue Apr 25, 2023 4:14 pm

BAM !
New intermediate version :)

leonardogyn · Tue Apr 25, 2023 4:35 pm

What's new in 7.9rc4 (2023-Apr-24 16:34):
[ .... ]
*) ovpn - improved system stability for Tile devices;
[ .... ]

.
Great to hear that :)