v7.8rc is released!

Fri Feb 10, 2023 10:07 am

RouterOS version 7.8rc has been released in the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.8rc3 (2023-Feb-20 16:32):

*) vxlan - fixed MAC learning when using FastPath (introduced in v7.8beta3);

What's new in 7.8rc2 (2023-Feb-14 11:50):

*) certificate - fixed export of a certificate when the last line of the certificate is exactly 64 bytes long;
*) conntrack - improved system stability when PPTP helper is used;
*) leds - always require to set interface name when setting "modem-signal" indication;
*) lte - fixed config-less modem support (introduced in 7.8rc1);
*) lte - fixed possible memory leak when using passthrough mode on Chateau 5G;
*) ovpn-server - fixed HW encryption capability detection on ARM64 devices (introduced in 7.8rc1);
*) sfp - fixed certain optical module initialization (introduced in 7.8beta2);

What's new in 7.8rc1 (2023-Feb-08 20:03):

!) storage - added new "rose-storage" package support for extended disk management and monitoring functionality (ARM, ARM64, Tile and x86) (CLI only);
*) bridge - fixed DHCP packet flow when using DHCP snooping, HW offloading and "use-ip-firewall";
*) bridge - fixed possible DHCP packet corruption when using DHCP snooping;
*) certificate - fixed certificate import (introduced in v7.8beta2);
*) console - added "as-string" parameter to the ":execute" command;
*) lte - improved stability for R11e-LTE6, skip connection reset on first EEMGINFO command timeout;
*) ovpn - improved server stability;
*) ovpn - improved TLS-related error logging;
*) route - show hoplimit and MTU properties under the "/routing route" menu for SLAAC routes;
*) ssh - improved system stability when processing none-crypto SSH connection;
*) switch - improved 10G, 25G, 40G and 100G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) swos - removed "/system swos" menu for CRS5xx series switches;
*) vxlan - added "max-fdb-size" parameter;
*) wifiwave2 - fixed compatibility with third-party devices when using SAE hash-to-element authentication with DH groups 20 and 21;
*) wifiwave2 - fixed SAE authentication for interfaces in station mode when trying to connect to APs which require an anti-clogging token (introduced in RouterOS 7.4);

Other changes since v7.7:

*) bgp - fixed setting of "default-prepend" parameter;
*) bridge - fixed adding disabled MSTI;
*) bridge - fixed PVID warning typo;
*) bridge - improved HW offloading logic;
*) certificate - fixed PBES2 certificate import;
*) certificate - improved certificate management, signing and storing processes;
*) certificate - improved multiple certificate import process;
*) conntrack - improved system stability when changing connection tracking state;
*) container - added authentication option for registry (CLI only);
*) container - fixed ".type" file ownership;
*) container - fixed file ownership after system upgrade for containers running on internal disk;
*) container - fixed multiple container automatic startup on boot;
*) dhcpv4-client - send DHCPv4 unicast requests to DHCPv4 relay, instead of server when it is being used;
*) disk - limit maximum TMPFS size;
*) dns - added configurable DoH concurrent query limitation parameters;
*) dns - do not cache results from ":resolve" command with specific server;
*) dns - fixed CNAME reading from the cache;
*) dns - limited "DoH max concurrent queries reached" logging messages to once per minute;
*) dns - respond with "NOERROR" to DNS requests for static domain names when appropriate type record is not configured or found on upstream server;
*) firewall - fixed bridge priority target;
*) firewall - fixed DSCP priority target for IPv6 Mangle;
*) firewall - fixed netmap range maximum address calculation for IPv6 NAT;
*) graphing - fixed hiding of target queues when "allow-target" is disabled;
*) graphing - fixed sorting of interface and queue graphs;
*) graphing - properly handle disabled and static-binding interface graphs;
*) graphing - removed "move" command for graphing rules;
*) health - fixed "temperature" and "power-consumption" readings for RB1100AHx4;
*) hotspot - fixed setting of "address" parameter for IP binding;
*) hotspot - restore cookie timeout on reboot;
*) ike2 - added support for "address", "key-id" and "dn" for Remote ID matching (CLI only);
*) ike2 - fixed active SA flush on responder after an unsuccessful peer connection attempt;
*) ipsec - added support for "Framed-Route" RADIUS attribute support;
*) ipsec - do not match incoming IKE requests by unresolved DNS name peers;
*) ipsec - fixed peer matcher for incoming connection with unresolved DNS;
*) ipv6 - added "pref64" option configuration for RA;
*) ipv6 - improved handling of "advertise" IPv6 address status changes;
*) ipv6 - limited "hop-limit" parameter value range to 255;
*) ipv6 - made distributed DNS lifetime RFC8106 compliant;
*) l3hw - added destination MAC address check for offloaded FastTrack connections;
*) led - fixed signal reading for KNOT device;
*) lte - added AT support for Telit LE910C4 in MBIM mode;
*) lte - fixed APN setting usage on initial connection attempt for AT based Quectel and Neoway modems;
*) lte - fixed automatic antenna selection on Chateau LTE12/LTE18;
*) lte - fixed dialing for Fibocom L850-GL module;
*) lte - fixed displaying of "subscriber-number";
*) lte - improved AT port matching for SIMCom, Huawei, WeLink, Cinterion, BandLuxe and Sierra modems;
*) lte - improved modem detection speed in lower mini-PCIe slot on LtAP;
*) lte - LtAP improved modem detection in lower mini-PCie slot ("/system routerboard upgrade" required);
*) lte - parse USSD even if encoding is unsupported;
*) mpls - fixed handling of more than 9 VRF's;
*) mpls - fixed LDP listen socket creation before IPv6 address is ready for use;
*) mpls - improved stability when neighboring router reboots;
*) ospf - fixed "ospf-type" parameter for OSPFv3 routes;
*) ospf - fixed simple auth for OSPFv3;
*) ovpn - added AES-GCM and multicore encryption support;
*) pimsm - improved system stability;
*) poe - added LLDP power management support for 802.3at PSE;
*) poe - properly turn off power when link not detected on hAP ax2 and hAP ax3;
*) port - fixed modem channel number on KNOT;
*) pppoe - fixed PPPoE client scan showing only one server;
*) resource - show filesystem related statistics on CCR2004;
*) route - added hoplimit and metric parameters to SLAAC routes;
*) route - fixed IPv6 default route presence when received from RA;
*) route - fixed printing of routing table's "count-only" parameter;
*) routerboot - fixed format storage for RBM33G device ("/system routerboard upgrade" required);
*) routerboot - fixed protected routerboot for RBM33G device ("/system routerboard upgrade" required);
*) sfp - fixed false link detection with S+RJ10 on RB5009;
*) sfp - fixed reading of SFP EEPROM on single SFP port devices;
*) sfp - improved optical modules SFP compatibility on CCR2004-16G-2S+, CCR2004-1G-12S+2XS, CCR2116-12G-4S+ devices;
*) sms - improved reporting of SMS sending errors;
*) sms - log USSD response when USSD is sent over MBIM;
*) sniffer - added additional filtering parameters;
*) snmp - do not show identity in LLDP when branding is used with hide SNMP data;
*) snmp - fixed handling of disabled routes;
*) snmp - fixed reporting of total number of routes counter;
*) ssh - hard-coded "localhost" address for forwarding requests;
*) sstp - fixed TLS session establishment when "connect-to" is DNS name;
*) switch - fixed "switch-cpu" counters (introduced in 7.8beta2);
*) switch - fixed SFP rate select for CRS354 devices;
*) switch - improved system stability for 98DXxxxx switch chips;
*) torch - allow "without-paging" parameter for Torch;
*) traffic-generator - increased maximum allowed stream count;
*) upgrade - show error message when license prohibits upgrade;
*) usb - changed USB auto detect behavior to default to the external USB, when no internal USB devices detected
*) vxlan - added "dont-fragment" setting that allows managing fragmentation;
*) vxlan - added FastPath support;
*) webfig - allow setting numeric values in time interval fields;
*) webfig - fixed accessing of WebFig when "Interface" menu is disabled by skin;
*) webfig - fixed editing of multi-field parameters with "not" checkbox;
*) webfig - fixed handling of empty skin files;
*) webfig - improved navigation responsiveness;
*) webfig - improved skin file parsing;
*) webfig - improved terminal operation;
*) webfig - properly escape all reserved URI characters;
*) webfig - updated WebFig and graph web pages to HTML5;
*) wifiwave2 - added wireless sniffer tool to capture wireless transmissions (CLI only);
*) wifiwave2 - adjust monitoring of station interfaces to report when an interface is authorized, not just connected;
*) wifiwave2 - enabled additional channels in UNII-3 and UNII-4 bands for Europe and USA on hAP ax^2, hAP ax^3 and Chateau ax;
*) wifiwave2 - fixed 802.11r fast transition when using wpa3-psk authentication (introduced in 7.8beta2);
*) wifiwave2 - implement 802.11w management protection SA Query procedures;
*) wifiwave2 - improve protections from denial-of-service attacks on WPA3;
*) winbox - added "Connect" button under "WifiWave2/Scan" menu;
*) winbox - added "Disable/Enable" buttons under "WifiWave2" menu;
*) winbox - added "Match Subdomain" parameter under "IP/DNS/Static" menu;
*) winbox - added "Provision" button under "WifiWave2" menu;
*) winbox - added "Start On Boot" checkbox under "Container" menu;
*) winbox - added "Tx Rate" and "Rx Rate" columns under "WifiWave2/Registration" menu;
*) winbox - added missing properties when setting "Use DoH Server";
*) winbox - added missing WifiWave2 related parameters under "WifiWave2" menu;
*) winbox - added support for manual RAM file system (TMPFS) creation under "System/Disk" menu;
*) winbox - added Type "https-get" parameter under "Tools/Netwatch" menu;
*) winbox - allow selecting bridge for static entries under "Bridge/MDB" menu;
*) winbox - fixed displaying of "Default Prepend" value under "Routing/BGP/Sessions" menu;
*) winbox - fixed displaying of "Tx/Rx CCQ" values under "Wireless/Registration" menu;
*) winbox - fixed displaying of flags under "System/Console" menu;
*) winbox - fixed displaying of multiple character flags;
*) winbox - fixed usage of IPv6 family addresses under "IP/Web Proxy/Access" menu;
*) winbox - hide "TTL" value for static DNS entries with FWD type;
*) winbox - hide unnecessary properties for virtual interfaces under "WifiWave2" menu;
*) winbox - improved mouseover hint for "local" policy under "System/Users/Groups" menu;
*) winbox - rename "Multicast Router" monitoring property to "Is Multicast Router" under "Bridge" menu;
*) winbox - show "Gateway" column by default under "IPv6/Routes" menu;
*) x86 - added support for TP-Link TG-3468;
*) x86 - fixed SR-IOV support for Intel X710 series NIC;
*) x86 - improved Intel 500 series 10G SFP module support;
*) x86 - improved stability for Intel X550 series NIC with SR-IOV;
*) zeroter - fixed routes after VRF change;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

DenisPDA · Fri Feb 10, 2023 10:35 am

Still a real problem
Looks like DoH prioritization was broken
viewtopic.php?t=192810#p982705

ivicask · Fri Feb 10, 2023 10:41 am

My HAP AC2 after update has only 1% now free (it was 2% on 7.8 beta 3)

I cant even do basic functionality like create system backup with 1% free.

What im supposed to do with router now @Mikrotik?

EDIT:Dyndns update scripts works again atleast which was broken on beta 3 not working from scheduler.

DjM · Fri Feb 10, 2023 10:49 am

*) ovpn - improved server stability;

Can you, please, provide more details / use case?

*) ssh - improved system stability when processing none-crypto SSH connection;

Can be this fix related to run SCP via SSH tunnel terminated on ROS?

Thank you

mducharme · Fri Feb 10, 2023 11:06 am

Still no default route appearing in the IPv6 route list, even though I can ping out to the internet just fine over IPv6.

elbob2002 · Fri Feb 10, 2023 11:10 am

Can this be installed on CRS3XX series switches now?

I know it doesn't say it on the release notes but given all the Beta versions had the warning I'm still a bit hesitant!

Fri Feb 10, 2023 11:46 am

AX3 simply acting as AP upgraded.
No issues seen so far.

rpingar · Fri Feb 10, 2023 12:08 pm

does 7.8rc1 include fix about support #[SUP-97493] that has been closed bye email on 03/02/2023??
regards

StubArea51 · Fri Feb 10, 2023 12:27 pm

Just upgraded hAPax2 & rb5009 and both are working well.

Using IPv4/IPv6 unicast, OSPFv2, OSPFv3, VxLAN, ZeroTier

depth0cert · Fri Feb 10, 2023 12:35 pm

RouterOS version 7.8rc1 has been released "v7 testing" channel!

What's new in 7.8rc1 (2023-Feb-08 20:03):

Changes in this release:

*) certificate - fixed certificate import (introduced in v7.8beta2);

SUP-106766 and SUP-105306 - fixed.
Thank you, MT!

smotrov · Fri Feb 10, 2023 1:44 pm

According to my tests on hAP ax² 7.8rc1 has 15..20% lower WiFi speed comparing to 7.7.
Tested 3 times in a row. Rolled back to 7.7.

Do you have any idea why is it happens?

own3r1138 · Fri Feb 10, 2023 2:51 pm

*) ovpn - improved server stability;

Can you, please, provide more details?

Reference SUP-96432
viewtopic.php?t=190351#p964701

llag · Fri Feb 10, 2023 4:07 pm

Can this be installed on CRS3XX series switches now?

I know it doesn't say it on the release notes but given all the Beta versions had the warning I'm still a bit hesitant!

Same here. I will wait for some confirmation by others that it works well for thembefore I try this on my CRS317. The warning on the alphas was too scary.
I also would like to understand what the reason was for the warning and what change makes this beta suitable for CRS devices again.

kev445 · Fri Feb 10, 2023 4:51 pm

Vodafone UK wifi calling has stopped working.

We don't have mobile reception, so this is a big thing for us.
EE wifi calling is still working.

pe1chl · Fri Feb 10, 2023 5:08 pm

Vodafone UK wifi calling has stopped working.

Maybe another DNS issue? Try if setting an external DNS (e.g. your ISP DNS or like 1.1.1.1 or 8.8.8.8) in the DHCP Network setting fixes it.

slackR · Fri Feb 10, 2023 5:33 pm

Upgraded a CRS305 and CRS309 without any issues so far. OSPFv2, OSPFv3, HW L3. Just need to verify DHCP has been fixed.

DjM · Fri Feb 10, 2023 5:58 pm

*) ovpn - improved server stability;

Can you, please, provide more details?
Reference SUP-96432
viewtopic.php?t=190351#p964701

Thank you

own3r1138 · Fri Feb 10, 2023 6:16 pm

Is something wrong with Server binding? The interface is still connected even though I disabled the client!

105547111 · Fri Feb 10, 2023 6:35 pm

I have noticed with RC1 my sstp tunnel won't establish on a reboot (after firmware upgrade). But if I disable the SSTP tunnel, then re-enable it connects without issue.

I then tried just a reboot and it comes up normally. Only happens on a upgrade + reboot. Same thing happened on last beta.

Cheers,

David

alacis · Fri Feb 10, 2023 6:42 pm

FYI, LED issue introduced with 7.8beta3 still exists - viewtopic.php?t=193289 - after upgrading signal LEDs not working and you need to manually toggle it off and on under System -> LEDs section.

Fri Feb 10, 2023 6:43 pm

I have noticed with RC1 my sstp tunnel won't establish on a reboot (after firmware upgrade). But if I disable the SSTP tunnel, then re-enable it connects without issue.

I then tried just a reboot and it comes up normally. Only happens on a upgrade + reboot. Same thing happened on last beta.

SSTP connection to DNS name or IP address ?
If the former, it could be the DNS resolving was not active yet at that specific moment.
I can perfectly understand after a first reboot, things are bit slower when starting up.

But that's an assumption from my part. Could be something else is playing...

StubArea51 · Fri Feb 10, 2023 7:08 pm

I will wait for some confirmation by others that it works well for thembefore I try this on my CRS317. The warning on the alphas was too scary.
I also would like to understand what the reason was for the warning and what change makes this beta suitable for CRS devices again.

Seems to be good on my CRS317 in the lab - it's still passing L2 tagged traffic.

[zuul@crs317-02-test.lab.ipa.net] > system/routerboard/print 
       routerboard: yes
             model: CRS317-1G-16S+
     serial-number: ABCD123456
     firmware-type: dx3230L
  factory-firmware: 3.40
  current-firmware: 7.8rc1
  upgrade-firmware: 7.8rc1

strzinek · Fri Feb 10, 2023 7:43 pm

*) ike2 - added support for "address", "key-id" and "dn" for Remote ID matching (CLI only);

Hello, how should it be used? In the IPSec identity definition? The code completion gives me no hint and I have not found any changes in the confluence documentation...

CTassisF · Fri Feb 10, 2023 10:14 pm

Even after lots of fixes for certificates, still can't use IKEv2 EAP VPN tunnel to NordVPN servers. IIRC this has been happening since v7.7 betas.

20:01:45 info fetch: file "root.der" downloaded
20:02:45 system,info ipsec modecfg nordvpn added by cesar
20:03:40 system,info ipsec peer nordvpn added by cesar
20:03:41 ipsec,error initiator can't find identity for peer: nordvpn
20:03:51 ipsec,error initiator can't find identity for peer: nordvpn
20:04:01 ipsec,error initiator can't find identity for peer: nordvpn
20:04:11 ipsec,error initiator can't find identity for peer: nordvpn
20:04:21 ipsec,error initiator can't find identity for peer: nordvpn
20:04:31 ipsec,error initiator can't find identity for peer: nordvpn
20:04:39 system,info ipsec identity added by cesar
20:04:41 ipsec,info new ike2 SA (I): nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:c6438b8e214c92a5:5aca58d8b11fe66a
20:04:41 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
20:04:41 ipsec,error can't verify peer's certificate from store
20:04:41 ipsec,info,account peer failed to authorize: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:c6438b8e214c92a5:5aca58d8b11fe66a
20:04:41 ipsec,info killing ike2 SA: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:c6438b8e214c92a5:5aca58d8b11fe66a
20:04:51 ipsec,info new ike2 SA (I): nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:58d940585cecdb38:6fcb9bd3e691d40d
20:04:51 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
20:04:51 ipsec,error can't verify peer's certificate from store
20:04:51 ipsec,info,account peer failed to authorize: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:58d940585cecdb38:6fcb9bd3e691d40d
20:04:51 ipsec,info killing ike2 SA: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:58d940585cecdb38:6fcb9bd3e691d40d
20:05:01 ipsec,info new ike2 SA (I): nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:0cbbc484128c8ca9:e0817c6382f08773
20:05:01 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
20:05:01 ipsec,error can't verify peer's certificate from store
20:05:01 ipsec,info,account peer failed to authorize: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:0cbbc484128c8ca9:e0817c6382f08773
20:05:01 ipsec,info killing ike2 SA: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:0cbbc484128c8ca9:e0817c6382f08773
20:05:11 ipsec,info new ike2 SA (I): nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:b9b836cf0b2ca788:bcd7b33910718100
20:05:11 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
20:05:11 ipsec,error can't verify peer's certificate from store
20:05:11 ipsec,info,account peer failed to authorize: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:b9b836cf0b2ca788:bcd7b33910718100
20:05:11 ipsec,info killing ike2 SA: nordvpn 191.9.xxx.yyy[4500]-185.153.xxx.yyy[4500] spi:b9b836cf0b2ca788:bcd7b33910718100

curtdept · Sat Feb 11, 2023 6:04 am

Still an issue with bridge DHCP snooping blocking IPV6 PD

own3r1138 · Sat Feb 11, 2023 4:03 pm

Several Kernel failures on CHR. :d

100% sure

Znevna · Sat Feb 11, 2023 4:18 pm

kernal is something from 1977. You sure?

ahmdzaki · Sat Feb 11, 2023 6:09 pm

Upgraded a CRS305 and CRS309 without any issues so far. OSPFv2, OSPFv3, HW L3. Just need to verify DHCP has been fixed.

Are L3 HW Offload still bug of ospf/bgp/nexthop failure or changed?
I solved those issue with disable and enable l3hw or clear arp. is that fixed?

ErfanDL · Sat Feb 11, 2023 6:43 pm

after upgrade to 7.8rc1 USB LTE can't get DHCP client. showing status stopped

Screenshot 2023-02-11 201339.jpg

username2 · Sat Feb 11, 2023 6:52 pm

Bug with Huawei MA5671A ONT SFP Module persisting in RC1: no link is detected.

When upgrading from 7.7 to 7.8rc no link is detected on the SFP module.

viewtopic.php?p=983137#p983137

105547111 · Sat Feb 11, 2023 9:00 pm

I have noticed with RC1 my sstp tunnel won't establish on a reboot (after firmware upgrade). But if I disable the SSTP tunnel, then re-enable it connects without issue.

I then tried just a reboot and it comes up normally. Only happens on a upgrade + reboot. Same thing happened on last beta.

SSTP connection to DNS name or IP address ?
If the former, it could be the DNS resolving was not active yet at that specific moment.
I can perfectly understand after a first reboot, things are bit slower when starting up.

But that's an assumption from my part. Could be something else is playing...

Yes its DNS name. Maybe after an upgrade its slightly slower starting. Its no big deal at least it works, better than it broken completely in the last few releases :-)

mszru · Sat Feb 11, 2023 10:25 pm

after upgrade to 7.8rc1 USB LTE can't get DHCP client. showing status stopped

Same here with Alcatel IK41 USB LTE modem on hAP ac2.
I have downgraded ROS to 7.7 to make it work again.

Brendon · Sun Feb 12, 2023 2:08 pm

USB Gb ethernet adapter (Techole UH411) with Realtek RTL8153 not working properly. Stats tabs are empty, no autonegotiation. Tested on hap ax3 and hap ac, adapter working on linux and win. machine without problem.

rtl8153.png

achu · Sun Feb 12, 2023 10:19 pm

No hardware encryption acceleration (Hw. Crypto) in openvpn on hAP ax3 router (cipher: AES256-GCM) In version 7.8beta3 it worked properly.

Amm0 · Sun Feb 12, 2023 10:21 pm

F1 for ROSE is still missing help descriptors for parameters

Mon Feb 13, 2023 7:10 am

DenisPDA, ivicask, smotrov, kev445, own3r1138, curtdept, own3r1138, ErfanDL, username2, mszru, Brendon - Please send the supout file from your router to us to the support@mikrotik.com e-mail address or use our client portal https://help.mikrotik.com/servicedesk/
DjM - We discovered an issue that could lead up to an OVPN server failure when removing client connections.
mducharme - Actually, this functionality is already on the way to you and will be available in v7.9beta.
elbob2002, llag - Yes, it is safe to use 7.8rc and will be safe to use the 7.8 stable version on CRS devices.
rpingar, own3r1138 - This change was a potential fix for your problem. You should try it out and update us with new supout files if the problem for some reason is not fully resolved.
alacis - The issue should be resolved in v7.9beta.
achu, Amm0 - We will look into this.

Jotne · Mon Feb 13, 2023 8:02 am

mducharme - Actually, this functionality is already on the way to you and will be available in v7.9beta.
alacis - The issue should be resolved in v7.9beta.

alacis
FYI, LED issue introduced with 7.8beta3 still exists - viewtopic.php?t=193289 - after upgrading signal LEDs not working and you need to manually toggle it off and on under System -> LEDs section.

@MikroTik STOP
This was a bug introduced in 7.8beta3 and should be fixed in 7.8rc, not 7.9 beta
Stop posting new beta for new mayor version. We are waiting of a long term release in 7 series, so next release after 7.8 should be 7.8.1 etc.
Make 7.x stable before adding new version 7.9 etc with stuff that are not important like new storage system, container ++

Mon Feb 13, 2023 8:50 am

According to my tests on hAP ax² 7.8rc1 has 15..20% lower WiFi speed comparing to 7.7.

Are you testing on a static channel and controlling for co-channel and adjecent-channel interference?

rpingar · Mon Feb 13, 2023 9:14 am

rpingar, own3r1138 - This change was a potential fix for your problem. You should try it out and update us with new supout files if the problem for some reason is not fully resolved.

it is for sure not a fix for not running dynamic pppoe client interface! The problem is still present on 7.8rc1
I didn't get yet a crash so .............I will update you.

regards

Mon Feb 13, 2023 9:52 am

Jotne - My apologies for this mistake, LEDs will be fixed in v7.8, not v7.9.

Mon Feb 13, 2023 10:03 am

USB Gb ethernet adapter (Techole UH411) with Realtek RTL8153

This chipset was never fully supported. we will check if we can add it properly.

DjM · Mon Feb 13, 2023 10:14 am

DjM - We discovered an issue that could lead up to an OVPN server failure when removing client connections.

Thank you for your feedback.

Can you, please, provide me also feedback related to my 2nd point?

*) ssh - improved system stability when processing none-crypto SSH connection;

Can be this fix related to run SCP via SSH tunnel terminated on ROS?

Mon Feb 13, 2023 11:10 am

Wifiwave2 AC3 and AX3:
/interface/wifiwave2/info country-info doesn't work anymore since 7.7

It was already reported in the 7.7 thread but still not fixed.
SUP-107615 created.

Mon Feb 13, 2023 11:45 am

Already got a reply (fast !).

submenu info country-info is removed.
Info is to be collected via /interface/wifiwave2/radio print detail
(but currently output is not of the same level/detail as it was using country-info so I asked about that again)

EDIT: extended info will become available in /interface/wifiwave2/radio print detail

pe1chl · Mon Feb 13, 2023 12:31 pm

Why is that so important for you? This is all static info that you can get from the relevant authorities...

Mon Feb 13, 2023 12:47 pm

Oh but it's not important at all to me.
I know where to find that info in other places.
The info used to be there prior to 7.7, some users are having problems determining why some settings they are using are not working.
I assumed nobody ever bothered creating a ticket for it. I did, got a response and shared that info.

Not everyone uses BGP, you know :lol:

own3r1138 · Mon Feb 13, 2023 1:48 pm

rpingar, own3r1138 - This change was a potential fix for your problem. You should try it out and update us with new supout files if the problem for some reason is not fully resolved.

I sent a supout file three days ago.

mkx · Mon Feb 13, 2023 2:14 pm

Why is that so important for you? This is all static info that you can get from the relevant authorities...

Info from authorities sometimes doesn't exactly match limitation built in ROS. Sometimes is thus very useful to get this info to verify what are actual limits imposed by ROS in actual device.

kcarhc · Mon Feb 13, 2023 4:08 pm

I have been using 7.8rc1 for 3 days now, and there has not been any issue with interrupted streaming since then. My main streaming service is Netflix, and IPv6 is enabled in the network. I believe the AAAA resolution issue with DNS has been resolved. Those who have encountered the issue before can upgrade to 7.8rc1 for testing.

sirbryan · Mon Feb 13, 2023 4:14 pm

Upgraded a CRS305 and CRS309 without any issues so far. OSPFv2, OSPFv3, HW L3. Just need to verify DHCP has been fixed.
Are L3 HW Offload still bug of ospf/bgp/nexthop failure or changed?
I solved those issue with disable and enable l3hw or clear arp. is that fixed?

I found a bug (present in 7.4.1 through to 7.7) where OSPF ECMP routes, when they return after a failure, are not loaded into the L3HW, despite showing up in the routing table. I've submitted a ticket but haven't heard back yet.

own3r1138 · Mon Feb 13, 2023 4:44 pm

@ErfanDL
Dear Erfan, can you tell me which USB LTE and carrier you use, please? I'm interested in buying one.

narapon · Mon Feb 13, 2023 7:35 pm

[ALERT]    (1) : exit-on-failure: killing every processes with SIGTERM
[ALERT]    (3) : [haproxy.main()] Cannot chroot(/var/lib/haproxy).
[NOTICE]   (1) : Loading success.
[NOTICE]   (1) : New worker (3) forked
[NOTICE]   (1) : haproxy version is 2.7.2-7e295dd
[NOTICE]   (3) : haproxy version is 2.7.2-7e295dd
[WARNING]  (1) : All workers exited. Exiting... (1)
[WARNING]  (1) : Current worker (3) exited with code 1 (Exit)

My HAproxy container start failing on 7.8rc1, they were working fine on 7.5, was something changed?

Pl07R3K · Mon Feb 13, 2023 10:03 pm

Unfortunately there is no information about CAPsMAN in the Release Notes, are there any improvements in this area since 7.7?

ErfanDL · Tue Feb 14, 2023 7:45 am

@ErfanDL
Dear Erfan, can you tell me which USB LTE and carrier you use, please? I'm interested in buying one.

ZTE MF79U on MTN

hknet · Tue Feb 14, 2023 8:06 am

Upgraded a CRS305 and CRS309 without any issues so far. OSPFv2, OSPFv3, HW L3. Just need to verify DHCP has been fixed.

how did you get ospf3? I'm testing on two CRS317 which converge fine in ospf2, but never using IP6

noradtux · Tue Feb 14, 2023 10:30 am

how did you get ospf3? I'm testing on two CRS317 which converge fine in ospf2, but never using IP6

At least on CRS317 you need to disable IGMP snooping on the bridge to get OSPFv3 working. And yes, support says this is normal ....

mducharme · Tue Feb 14, 2023 11:09 am

mducharme - Actually, this functionality is already on the way to you and will be available in v7.9beta.

I must have misunderstood then. I saw the following change and figured that it was that:

*) route - fixed IPv6 default route presence when received from RA;

If that is not what I thought, then what is that change?

msilcher · Tue Feb 14, 2023 2:26 pm

Internet tethering from Android phone via USB is not working, lte1 DHCP client stays in invalid state. Had to rollback to 7.7. Tested on hap ac3 BTW.

Tue Feb 14, 2023 3:13 pm

mducharme - New flags and properties are added to routing table. Default SLAAC routes will be there in v7.9.

kev445 · Wed Feb 15, 2023 5:27 pm

Vodafone UK wifi calling has stopped working.
Maybe another DNS issue? Try if setting an external DNS (e.g. your ISP DNS or like 1.1.1.1 or 8.8.8.8) in the DHCP Network setting fixes it.

This turned out to be an issue with Vodafone, which they have since resolved.

Pl07R3K · Wed Feb 15, 2023 5:48 pm

mducharme - New flags and properties are added to routing table. Default SLAAC routes will be there in v7.9.

I get the impression that the big launch of ROS 8.0 ASAP is more important than stabilizing the system :-(
That's why we haven't lived to see a long-term version so far.

bajodel · Wed Feb 15, 2023 5:55 pm

In the previous release there was a big talk about dns issues, now I don't see many of them.
I'm currently still using direct dns because if I try to revert back, lots of things go bonkers (Ms Teams, Amazon MyTV and sometimes also YouTube in a normal browser).

Any update on this ?

Wed Feb 15, 2023 6:03 pm

Pl07R3K - Not sure what was the purpose of this message. Building multiple rc releases before stable build is exactly "stabilising". Main goal on eacn and every new stable is to make it better than previous one. Of course, there are no bugfree versions, but we do not plan to delay many fixes for many users while waiting for fixes for some specific issues. Releasing new stable versions and stabilising version for everyone, not for some particular feature users is our main goal.

bajodel - As far as we are aware all of the major DNS issues are resolved. Also there are some new updates on docummentation page explaining how static entries work now (https://help.mikrotik.com/docs/display/ROS/DNS).

Sob · Wed Feb 15, 2023 7:18 pm

Why oh why do you do these things? ;) From the new DNS docs:

If DNS static entries list matches the requested domain name, then the router will assume that this router is responsible for any type of DNS request for the particular name. For example, if there is only an "A" record in the list, but the router receives an "AAAA" request, then it will reply with an "A" record from the static list and will query the upstream server for the "AAAA" record. If a record exists, then the reply will be forwarded, if not, then the router will reply with an "ok" DNS reply without any records in it. If you want to override domain name records from the upstream server with unusable records, then you can, for example, add a static entry for the particular domain name and specify a dummy IPv6 address for it "::ffff".

First one small detail, I think the first sentence is wrong, because if router assumed that it's responsible for any type, it wouldn't ask upstream for the ones it doesn't have.

But the important part, clearly the goal now is to override records per-type, not all as before. Ok, fine, accepted. But isn't it pretty clear that overriding some type by discarding upstream records will be quite logical requirement? Because it's not the same as adding records of that type with some "invalid" value. In your example, if client asks for AAAA record, it will get ::ffff. Can you guarantee that all present and future clients will handle it as wrong address they will ignore? Of course you can't, nobody can. So why not do it properly, especially when it shouldn't be difficult at all? E.g. add new no-data=yes parameter for all record types that will filter out any upstream records of that type (it wouldn't actually ask upstream about them at all, since this would be local empty record of that type).

bajodel · Wed Feb 15, 2023 8:43 pm

bajodel - As far as we are aware all of the major DNS issues are resolved. Also there are some new updates on docummentation page explaining how static entries work now (https://help.mikrotik.com/docs/display/ROS/DNS).

Thank you strods, I'll take a look into that but my problem is that I'm not using static entries! It's simple dns resolution from upstream passed to clients.
As soon as I give upstream dns to clients (via DHCP) all is working fine. If the router is the LAN dns resolver (opendns as upstream) it starts to behave badly.
I've had no time to dig deeper into the problem, it takes time to make captures and figure out what those "black box" are trying to do (AmazonFireTV, SmartTV, etc..) with the dns.
My notebook is almost happy with the router as dns server, but sometimes I get some strange outcome on YouTube (could be something else).

pe1chl · Wed Feb 15, 2023 9:01 pm

I had such issues with v7.7 (and the last beta versions leading up to that) but it has been resolved for me. You are right: it is difficult to debug, even with a detailed DNS packet trace I could not really pinpoint the problem.
The "expected behavior" of a DNS server/resolver is different from what one would guess it would be, so every time someone makes changes "to make it more efficient", "to make the code look nicer", or "to add some niche functionality", it breaks.
I hope that MikroTik has made some testing tool that tests all bugs identified previously, which they can run before releasing another version where the DNS resolver was again "improved". Because I think these same problems will keep coming back again and again.

actck · Thu Feb 16, 2023 3:48 am

Becaues of this new dns resolver, my ccr2216 still stay on 7.4.1, uptime=180d+, hahaha

I wish to provide an option to disable this new resolver, I dont trust this, Or else i will assign dns server in dhcp service after update ros

Thu Feb 16, 2023 6:56 am

Ability to specify domain name with some kind of a "none" action is on its way. We do not know how it will look yet, but you will be able to add dummy DNS record that will override DNS name lookup. Yes, nobody is forced to upgrade RouterOS on every stable release. Release notes are available and if you are not satisfied with some changes, you can always wait for a while and stick with an older version.

Please keep this topic related to v7.8rc. If you want to discuss DNS changes, then please create new topic.

ahmdzaki · Thu Feb 16, 2023 10:25 am

Are L3 HW Offload still bug of ospf/bgp/nexthop failure or changed?
I solved those issue with disable and enable l3hw or clear arp. is that fixed?
I found a bug (present in 7.4.1 through to 7.7) where OSPF ECMP routes, when they return after a failure, are not loaded into the L3HW, despite showing up in the routing table. I've submitted a ticket but haven't heard back yet.

Yes, running scheduler for clear arp for every 5 minutes still the solution.

Upgraded a CRS305 and CRS309 without any issues so far. OSPFv2, OSPFv3, HW L3. Just need to verify DHCP has been fixed.
how did you get ospf3? I'm testing on two CRS317 which converge fine in ospf2, but never using IP6

I got Running CCR2004 and CRS305 + l3hw offload with ospfv3 ipv6 with broadcast type. not working with p2p type and not working with ipv4.

pe1chl · Thu Feb 16, 2023 11:02 am

I wish to provide an option to disable this new resolver, I dont trust this, Or else i will assign dns server in dhcp service after update ros

That option is already available! You do not need to use the RouterOS resolver except for the router's own internal queries (like to update RouterOS or to load address lists from DNS names). You can setup an alternative resolver on a separate device or as a container running on the router itself, and use that.
On our AMPRnet/HAMNET network we just use bind9 as a server/resolver, without issues (and with DNSSEC). In a container you could use unbound, for example.

Thu Feb 16, 2023 12:02 pm

What's new in 7.8rc2 (2023-Feb-14 11:50):

*) certificate - fixed export of a certificate when the last line of the certificate is exactly 64 bytes long;
*) conntrack - improved system stability when PPTP helper is used;
*) leds - always require to set interface name when setting "modem-signal" indication;
*) lte - fixed config-less modem support (introduced in 7.8rc1);
*) lte - fixed possible memory leak when using passthrough mode on Chateau 5G;
*) ovpn-server - fixed HW encryption capability detection on ARM64 devices (introduced in 7.8rc1);
*) sfp - fixed certain optical module initialization (introduced in 7.8beta2);

depth0cert · Thu Feb 16, 2023 1:23 pm

Thank you

ErfanDL · Thu Feb 16, 2023 1:40 pm

What's new in 7.8rc2 (2023-Feb-14 11:50):

*) lte - fixed config-less modem support (introduced in 7.8rc1);

thanks.

ropeguru · Thu Feb 16, 2023 4:32 pm

You seriously need to upgrade the ZeroTier package!!! There have been so many bug fixes and new features since September 2021.. This release is a year and a half old!!

At this point, adding ZeroTier seems only like a marketing gimmick which a lot of people, including myself, fell for...

pcunite · Thu Feb 16, 2023 8:30 pm

Ability to specify domain name with some kind of a "none" action is on its way. We do not know how it will look yet, but you will be able to add dummy DNS record that will override DNS name lookup.

Thank you.

kriszos · Thu Feb 16, 2023 11:19 pm

on 7.8rc2 CRLs are still ignored and users with revoked certificates are able to connect using IKEv2
SUP-108118

Jotne · Fri Feb 17, 2023 7:40 am

Do you see your case in status closed SUP-108118 or change log in 7.8rc2 that it should be fixed? If yes, make a new support case, if no, no ned for ask for it.

An5teifo · Fri Feb 17, 2023 7:47 am

I am having troubles with OSPF IPv6. If I just announce regular routes via a passive interface only a few are being seen by the other routers. Currently I need to stick with redistribute connected.

Also packet sniffer slows down my IPv6 speed dramatically (off ~150 Mbit, on ~ some kbits) but only on my CCR2004.

Network5 · Fri Feb 17, 2023 12:05 pm

"Also packet sniffer slows down my IPv6 speed dramatically (off ~150 Mbit, on ~ some kbits) but only on my CCR2004."

I have a similar issue, also on a CCR2004 just for IPv6 traffic. I can generate more than 3GB/s but I can not forward more than 100kB/s.

Fri Feb 17, 2023 2:29 pm

Jotne - Please do not create a new ticket even if there was an attempt to fix your issue, but it did fail. Keep all of the conversations about a single issue within a single support ticket. Report support issues on separate tickets (single ticket, single issue) but do not start multiple tickets for the same problem. If you received an automated reply from us, then the ticket is in our queue.

kcarhc · Fri Feb 17, 2023 3:28 pm

I think I may have found a reason why DNS forward-to can be incorrect.

As seen in the picture, video.twimg.com has two CNAMEs, which is definitely not correct. We can use the example of "video.twimg.com CNAME dualstack.video.twitter.map.fastly.net TTL=00:03:33" to illustrate the problem that can occur with DNS forward-to.

From these two pieces of data, we can see that "dualstack.video.twitter.map.fastly.net A 151.101.76.159" will expire first. So if "dualstack.video.twitter.map.fastly.net A" expires and the client requests a resolution for "video.twimg.com", the DNS resolver will find the CNAME and attempt to resolve "dualstack.video.twitter.map.fastly.net".

However, the code rule we set is "forward-to=1.1.1.1 regex=(.|^)(twitter|twimg).com$", which can only match "video.twimg.com" but not "dualstack.video.twitter.map.fastly.net". Some may argue that this setting is correct, but if the DNS cache is cleared, then "video.twimg.com" and subsequent CNAME resolutions will use "forward-to 1.1.1.1", creating a logical conflict.

Therefore, I think we should add a tag to the result of "video.twimg.com CNAME dualstack.video.twitter.map.fastly.net" resolution to mark "dualstack.video.twitter.map.fastly.net" as "forward-to 1.1.1.1". This will ensure that when we resolve "dualstack.video.twitter.map.fastly.net" in the future, the result will be consistent with clearing the cache.

This is a problem that we often encounter where the DNS resolution works fine at the beginning, but eventually causes streaming problems.

kcarhc · Fri Feb 17, 2023 3:32 pm

please check
SUP-104088, dns AAAA issue
SUP-107205, dns-static CNAME not working.
SUP-107210, dns dynamic server random lost
I feel that these three issues, although different, are all related to the situation mentioned above,
and perhaps all caused by the same reason leading to DNS crash.

massinia · Fri Feb 17, 2023 3:39 pm

All 6 iPads Air with iPadOS 16.3.1 we have now keep disconnecting and reconnecting as soon as the screen turns off.
They are with the screen off and above the table, once the display is switched on, they remain connected.

# feb/17/2023 14:27:19 by RouterOS 7.8rc2
# software id = BH9H-NUQS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDG08XXXXXX
/interface bridge
add admin-mac=48:A9:8A:0E:18:EB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.country=Italy .mode=ap .ssid=\
    MikroTik disabled=no security.authentication-types=wpa2-psk \
    .management-protection=disabled .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Italy .mode=ap .ssid=\
    MikroTik disabled=no security.authentication-types=wpa2-psk \
    .management-protection=disabled .wps=disable

dokacoimbra · Fri Feb 17, 2023 4:54 pm

The "Interfaces/Detect Internet/Detect Internet State" problem still remains.

In Interfaces, the "Detect internet" status doesn't work after reboot, it only works when I change and revert any of the lists in the "Detect internet" dialog.
After this manipulation, the "Detect internet" status works fine until the next reboot.

Tested on HAP AC2

This video below describes the problem well.
https://www.youtube.com/watch?v=kk6nRWx ... canal=DF

msilcher · Fri Feb 17, 2023 5:13 pm

The "Interfaces/Detect Internet/Detect Internet State" problem still remains.

In Interfaces, the "Detect internet" status doesn't work after reboot, it only works when I change and revert any of the lists in the "Detect internet" dialog.
After this manipulation, the "Detect internet" status works fine until the next reboot.

Tested on HAP AC2

This video below describes the problem well.
https://www.youtube.com/watch?v=kk6nRWx ... canal=DF

Same here, also con hap ac2. Happens since some time.

Fri Feb 17, 2023 6:25 pm

Yes, the Internet Detect issue is not solved yet. When it will be fixed, then that will be mentioned in the release notes. We are aware of a problem with Detect Internet. Please keep this topic related only to v7.8 and the issues introduced in it compared to 7.7.

pe1chl · Fri Feb 17, 2023 6:34 pm

Yes, the Internet Detect issue is not solved yet. When it will be fixed, then that will be mentioned in the release notes. We are aware of a problem with Detect Internet.

Best solution would be to just remove it. It did not work out, it does not solve any issue or provide any useful function, yet it causes confusion and problems.

honzam · Fri Feb 17, 2023 10:16 pm

@strods When will this issue be resolved please? viewtopic.php?t=188600
Reported by ticket with version 7.8rc. Thank you

cklee234 · Fri Feb 17, 2023 11:52 pm

V7.8 rc2 fixed an issue in rc1 that CAPSMan not able to bring up 5G wifi in RB4011iGS+5HacQ2HnD

Gnits · Sat Feb 18, 2023 12:18 am

Still having issues with SFP+ 10gb ports flapping between my rb5009 and my CRS317-1G-16S+
SUP-106568...

What's new in 7.8rc2 (2023-Feb-14 11:50):
*) sfp - fixed certain optical module initialization (introduced in 7.8beta2);

mada3k · Sat Feb 18, 2023 11:54 am

Yes, the Internet Detect issue is not solved yet. When it will be fixed, then that will be mentioned in the release notes. We are aware of a problem with Detect Internet.
Best solution would be to just remove it. It did not work out, it does not solve any issue or provide any useful function, yet it causes confusion and problems.

Agree. It's an utterly stupid function.

massinia · Sat Feb 18, 2023 7:46 pm

All 6 iPads Air with iPadOS 16.3.1 we have now keep disconnecting and reconnecting as soon as the screen turns off.
They are with the screen off and above the table, once the display is switched on, they remain connected.

# feb/17/2023 14:27:19 by RouterOS 7.8rc2
# software id = BH9H-NUQS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDG08XXXXXX
/interface bridge
add admin-mac=48:A9:8A:0E:18:EB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.country=Italy .mode=ap .ssid=\
    MikroTik disabled=no security.authentication-types=wpa2-psk \
    .management-protection=disabled .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Italy .mode=ap .ssid=\
    MikroTik disabled=no security.authentication-types=wpa2-psk \
    .management-protection=disabled .wps=disable

I can't turn on wireless debugging, doesn't work with wave2?

I can't understand why with 7.8rc2 iPads have this problem.

Amm0 · Sat Feb 18, 2023 7:56 pm

I can't understand why with 7.8rc2 iPads have this problem.

What version did these last work in?

massinia · Sat Feb 18, 2023 8:03 pm

What version did these last work in?

hAP ax3 with 7.6 and 7.7, used for two weeks, never noticed.
Unfortunately I can't downgrade...

Amm0 · Sat Feb 18, 2023 8:21 pm

What version did these last work in?
hAP ax3 with 7.6 and 7.7, used for two weeks, never noticed.
Unfortunately I can't downgrade...

Still waiting for some "ax" things, so dunno. But seems changing country has an outsized effect on things with 'ax, perhaps try "no country"? And/or, specifically select a channel to use?

Sat Feb 18, 2023 8:23 pm

Unfortunately I can't downgrade...

Why not ?
Is not that difficult.

massinia · Sat Feb 18, 2023 10:10 pm

@Amm0

try "no country"? And/or, specifically select a channel to use?

Nothing, same thing... after 5/10 minutes that the screen is off, the disconnections begin.
They do it even if I use only one wireless interface (2.4 or 5 GHz).

Why not ?
Is not that difficult.

You are right, I should do it when nobody is there...

kcarhc · Sun Feb 19, 2023 12:50 am

Still having issues with SFP+ 10gb ports flapping between my rb5009 and my CRS317-1G-16S+
SUP-106568...
What's new in 7.8rc2 (2023-Feb-14 11:50):
*) sfp - fixed certain optical module initialization (introduced in 7.8beta2);

I have a RB5009UPr+S+IN with an SFP+ module that sometimes fails to start, and experiences 2.5G port flapping.
After upgrading to 7.8rc2, not only does port flapping still occur, but there are also negotiation issues where the port changes from 2.5G to 1G and then to 100M.
The only solution I have found is to reboot the device, which temporarily restores the 2.5G connection until the flapping starts again.

RB5009UPr+S+IN_Port_flapping.png

kcarhc · Sun Feb 19, 2023 12:59 am

here is the image after reboot. the ether1 will back to 2.5Gbps. just reboot.

RB5009UPr+S+IN_reboot_2.5Gbps_works.png

Then I found another problem after the reboot: every time I reboot, my clock is changed to Europe/Istanbul. It's so strange, no matter how I change it, it always changes back to Europe/Istanbul after reboot. I didn't pay attention to this issue before.

Clock_Europe-Istanbul.png

kcarhc · Sun Feb 19, 2023 5:46 pm

The lowest speed today became 10 Mbps, which is the first time I have encountered this issue since before 7.8rc2.

10Mbps.png

ether1_10Mbps.png

ether1_advertise.png

own3r1138 · Sun Feb 19, 2023 6:09 pm

I have found an issue with RouterOS IKEv2 version 7.7 also V7.8rc2. It works fine on 6.48.6 (long-term).
The issue is related to handling the certificate chain of trust, as far as I can tell.
SUP-108363

ipsec-f.jpg

nichky · Mon Feb 20, 2023 11:30 am

BGP with VRRP does't established peer

rpingar · Mon Feb 20, 2023 6:04 pm

in dst.limit filter rule there is a bug when rate is > then 10k p/s
the rule doesn't catch anything.
Instead if you choose rate 10k p/s and a big burst the rule catch the patckets.
[SUP-108462]: opened with supout

DeviceLocksmith · Mon Feb 20, 2023 8:31 pm

I think I may have found a reason why DNS forward-to can be incorrect.

As seen in the picture, video.twimg.com has two CNAMEs, which is definitely not correct. We can use the example of "video.twimg.com CNAME dualstack.video.twitter.map.fastly.net TTL=00:03:33" to illustrate the problem that can occur with DNS forward-to.

I am not seeing two CNAMEs in one answer from video.twimg.com. What I am seeing is weighted CNAME answers from Dynect, AWS Route 53 and Ultra DNS nameservers.

❯ dig video.twimg.com @d.r06.twtrdns.net CNAME +short # Route 53
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @d.r06.twtrdns.net CNAME +short
cs296.wpc.edgecastcdn.net.
❯ dig video.twimg.com @d.u06.twtrdns.net CNAME +short # UltraDNS
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @d.u06.twtrdns.net CNAME +short
cs296.wpc.edgecastcdn.net.
❯ dig video.twimg.com @ns3.p34.dynect.net CNAME +short # Dynect
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @ns3.p34.dynect.net CNAME +short
cs296.wpc.edgecastcdn.net.

Why is RouterOS caching both is a good question - it should cache on tuple as a key (name, class, rdtype). It looks like it caches on (name, rdtype, rdata), which is incorrect.

Rox169 · Mon Feb 20, 2023 10:17 pm

Hi,
finally I can see all changes and latest RC version in fisrt post...why it took so long..

fragtion · Tue Feb 21, 2023 1:34 am

In the previous release there was a big talk about dns issues, now I don't see many of them.
I'm currently still using direct dns because if I try to revert back, lots of things go bonkers (Ms Teams, Amazon MyTV and sometimes also YouTube in a normal browser).

Any update on this ?

Same here and it's reproducible. Only happens with the Wyze cameras on my network. If they use the Mikrotik dns, I get DHCP disassoc/reassoc flooding (units rebooting themselves) which goes away as soon as I switch them to a different DNS server. Weird.
And while I'm tempted to go bind9 in a container, I feel like DNS is too critical of a router function to offload to a container which has its own potential quirks/layers of complexity and points of failure, and of course this workaround won't work for devices that can't run container so the focus should be to get the built-in resolver working properly so that such alternatives aren't necessarily need.

rpingar · Tue Feb 21, 2023 11:07 am

in dst.limit filter rule there is a bug when rate is > then 10k p/s
the rule doesn't catch anything.
Instead if you choose rate 10k p/s and a big burst the rule catch the patckets.
[SUP-108462]: opened with supout

using rate=10k p/s the burst parameter doesn't have any effect at all!!!
you can set rate= 10k and burst=100k but it get matched until 10001p/s

very urgent to review and fix please.

tricyclevent · Tue Feb 21, 2023 12:09 pm

*) container - added authentication option for registry (CLI only);

How to use the authentication?
In terminal i set up username & password. But how to connect?

Do i have to change the url to: https://registry-1.docker.io/v2/ ??

Are there more informations how this works?
Still cant download dockers/containers...

"error response getting manifests: 404"

pe1chl · Tue Feb 21, 2023 12:17 pm

using rate=10k p/s the burst parameter doesn't have any effect at all!!!
you can set rate= 10k and burst=100k but it get matched until 10001p/s

very urgent to review and fix please.

The algorithm used for this limiting does not allow limits that are higher than the clock interrupt tick rate...
I'm afraid that is a kernel limitation, not something that is easily fixed. It is intended for rates in the several-per-minute range.

rpingar · Tue Feb 21, 2023 4:29 pm

using rate=10k p/s the burst parameter doesn't have any effect at all!!!
you can set rate= 10k and burst=100k but it get matched until 10001p/s

very urgent to review and fix please.
The algorithm used for this limiting does not allow limits that are higher than the clock interrupt tick rate...
I'm afraid that is a kernel limitation, not something that is easily fixed. It is intended for rates in the several-per-minute range.

how to block badport udp attack from many thousands to one ip??

Wed Feb 22, 2023 10:04 am

What's new in 7.8rc3 (2023-Feb-20 16:32):

*) vxlan - fixed MAC learning when using FastPath (introduced in v7.8beta3);

Rox169 · Wed Feb 22, 2023 10:31 am

What's new in 7.8rc3 (2023-Feb-20 16:32):

vxlan - fixed MAC learning when using FastPath (introduced in v7.8beta3);

so almost no fixes it should mean stable version is around corner :)

Jotne · Wed Feb 22, 2023 11:09 am

Someone not following the MikroTik standard for posting change log new version ;)
Correct format:

*) vxlan - fixed MAC learning when using FastPath (introduced in v7.8beta3);

Hope we would see 7.8.1 .. 7.8.x (long term)

kcarhc · Wed Feb 22, 2023 11:30 am

I think I may have found a reason why DNS forward-to can be incorrect.

As seen in the picture, video.twimg.com has two CNAMEs, which is definitely not correct. We can use the example of "video.twimg.com CNAME dualstack.video.twitter.map.fastly.net TTL=00:03:33" to illustrate the problem that can occur with DNS forward-to.

I am not seeing two CNAMEs in one answer from video.twimg.com. What I am seeing is weighted CNAME answers from Dynect, AWS Route 53 and Ultra DNS nameservers.
Code: Select all
❯ dig video.twimg.com @d.r06.twtrdns.net CNAME +short # Route 53
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @d.r06.twtrdns.net CNAME +short
cs296.wpc.edgecastcdn.net.
❯ dig video.twimg.com @d.u06.twtrdns.net CNAME +short # UltraDNS
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @d.u06.twtrdns.net CNAME +short
cs296.wpc.edgecastcdn.net.
❯ dig video.twimg.com @ns3.p34.dynect.net CNAME +short # Dynect
dualstack.video.twitter.map.fastly.net.
❯ dig video.twimg.com @ns3.p34.dynect.net CNAME +short
cs296.wpc.edgecastcdn.net.
Why is RouterOS caching both is a good question - it should cache on tuple as a key (name, class, rdtype). It looks like it caches on (name, rdtype, rdata), which is incorrect.

The problem I experienced is that different DNS servers may resolve different CDN servers. I forced Twitter to use Cloudflare's 1.1.1.1 resolver, while my ISP's DNS resolver resolves to a different CDN server for Twitter compared to Cloudflare's resolver. I traced this issue and found that multiple CNAMEs can be returned.

Another issue is that if the TTL of the CNAME's CNAME/A/AAAA records is set to 0, then the forward-to rule will not be executed again when the CNAME is resolved in the future.

For example, if we set "video.twimg.com forward-to=1.1.1.1" and the first time we resolve "video.twimg.com CNAME dualstack.video.twitter.map.fastly.net", the result is returned by 1.1.1.1, and "dualstack.video.twitter.map.fastly.net A 117.18.232.102" is also returned by 1.1.1.1. However, after a while when the TTL is set to 0, if we resolve "dualstack.video.twitter.map.fastly.net" separately, we may find that the result is "dualstack.video.twitter.map.fastly.net A 146.75.112.158", which is not the result returned by 1.1.1.1.

Therefore, I think it would be helpful to mark the "dualstack.video.twitter.map.fastly.net" that is stored in the cache with a certain dns-static rule, so that the same rule will be executed for future domain names as well.

spippan · Wed Feb 22, 2023 12:00 pm

BGP does not reliably append bgp-communities on advertised/exported prefixes!

if the bgp session re-initiates /-establishes the route filter community-set has to be disabled and re-enabled again to see bgp-communities appear on peering partner

the advertising / exporting PEER:

2023-02-22_MT_7.8rc_bgpComm01.png

the receiving PEER (bgp-communities only appear after disabling and re-enabling the community-set; sometimes multiple times)

2023-02-22_MT_7.8rc_bgpComm02_peer.png

pe1chl · Wed Feb 22, 2023 2:26 pm

[found the reason - access list item said "no tag"]

CTassisF · Wed Feb 22, 2023 2:32 pm

Still cant download dockers/containers...

"error response getting manifests: 404"

This has nothing to do with the new authentication feature that was implemented in v7.8.

Basically Docker changed how images are created and stored and MikroTik will have to update its container implementation to support these changes. This was discussed in v7.8beta thread.

An5teifo · Wed Feb 22, 2023 2:35 pm

Unfortunately RC3 still did not solve SUP-107271.

Network5 · Thu Feb 23, 2023 12:42 pm

When importing / coping VRRP configuration, from an export, with VRRP master-group set, the command will fail. Supposing because master group does not exists jet. This on RC3.

/interface vrrp
add group-master=VRRP-A01 interface=B_A01 name=VRRP-A01 vrid=101
add group-master=VRRP-A02 interface=B_A02 name=VRRP-A02 vrid=102
add group-master=VRRP-A03 interface=B_A03 name=VRRP-A03 vrid=103
...
...

Fri Feb 24, 2023 2:04 pm

Network5 - thank you for the report, we have reproduced this behavior and will resolve it in future releases.

Amm0 · Sat Feb 25, 2023 1:09 am

Is it a bug that <tab> in /interface/lte shows this? ;)

 /interface/lte/esim/
activate-profile  enable-profle  list-profiles
delete-profle     esim-id        rename-profle

templeos · Sat Feb 25, 2023 2:49 am

That's not a bug, that is a feature. We already know that eSIM support it is coming in a future modem firmware update. Mikrotik probably has access to beta firmware newer than RG502QEAAAR13A03M4G from Quectel.

People already found out about the upcoming eSIM support in firmware version RG502QEAAAR13A02M4G in November 2022.
https://forums.quectel.com/t/rg502q-ea- ... uest/18852

rpingar · Sat Feb 25, 2023 1:36 pm

we hit another bug on arm64 ccr2004:
- bonding intererface with two sfpplus
- a vlan on the bond
- multiple ips of the same subnet on the vlan

when you ping another ip of the same subnet (l2) through the bond the pocket for some of the ip on the bond are dropped (ping timeout), other packet for other ip are accepted.
[SUP-108960] opened with supout and pcap file on the interface when we see ping timeout but the packet are correctly received on the interface.

our idea is that the packets are dropped because they are received through the phisical interface with mac address different from bond.

jimvam · Mon Feb 27, 2023 7:17 am

Hello, after installing I have a major problem on my Ltap Lte6 kit not recognizing properly my second lte connection using a pci-e lte card.
I have to change pci to usb and back in order to start it so after a reboot my client is losing second lte...

rpingar · Mon Feb 27, 2023 8:39 am

we hit another bug on arm64 ccr2004:
- bonding intererface with two sfpplus
- a vlan on the bond
- multiple ips of the same subnet on the vlan

when you ping another ip of the same subnet (l2) through the bond the pocket for some of the ip on the bond are dropped (ping timeout), other packet for other ip are accepted.
[SUP-108960] opened with supout and pcap file on the interface when we see ping timeout but the packet are correctly received on the interface.

our idea is that the packets are dropped because they are received through the phisical interface with mac address different from bond.

we found a way to workaround this issue:
- a script to run at boot that disable all three ips and then enable first (the second one and then the others), disable again all the three ips, then finallly enable them starting from the third.

seems a bug when there are multiple ips of the same subnet on the interface with firewall nat ruels, the first ip is well initialized the others not, so enabling recursively all ips as the first, solve the problem.

regards

Mon Feb 27, 2023 10:54 am

RouterOS v7.8 has been released
viewtopic.php?t=193986

Who is online