Community discussions

MikroTik App
 
EdPa
MikroTik Support
MikroTik Support
Topic Author
Posts: 340
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

v7.17beta [testing] is released!

Fri Sep 27, 2024 4:24 pm

RouterOS version 7.17beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.17beta6 (2024-Nov-20 09:58):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled (additional fixes);
!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) bridge - fixed bridge packet transmit if dhcp-snooping is enabled (introduced in v7.17beta5);
*) disk - added mount-read-only and mount-filesystem options to allow read-only mounts and prevent mounting device at all (CLI only);
*) firewall - improved matching from deeply nested interface-lists (additional fixes);
*) ipv6 - added support for manual link-local address configuration;
*) lte - improved recovery after unexpected modem reboot for Chateau's 5G and 5G R16 series devices;
*) port - display a warning when using invalid log-file with the "remote-access" feature;
*) ptp - fixed DSCP values for IPv4 packets;
*) ptp - fixed synchronization on QSFP28 interfaces (additional fixes);
*) qos-hw - allow to disable/enable profiles, disabled or removed profile gets replaced with the default (additional fixes);
*) routerboot - improved stability for IPQ8072 and IPQ6010 when flash-boot is used ("/system routerboard upgrade" required);
*) smb - stability improvements for client/server (additional fixes);
*) supout - do not create autosupout.rif for second time after system reboot;
*) tftp - improved stability;
*) winbox - improved stability;

What's new in 7.17beta5 (2024-Nov-13 12:51):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled;
!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) bonding - hide mlag-id property on non-compatible devices;
*) bridge - added message for inactive port reason;
*) bridge - added priority setting to manually elect primary MLAG peer (CLI only);
*) bridge - fixed MVRP registrar and applicant port options;
*) bridge - prioritize MAC selection from Ethernet interfaces when using auto-mac feature;
*) bridge - re-synchronize MLAG system-id when bridge MAC changes;
*) bridge - update dynamic MSTI priority value when changing configuration;
*) certificate - do not download CRL if there is no enough free RAM;
*) certificate - do not show not relevant values for certificate template (CLI only);
*) certificate - removed unstructured address field support;
*) chr - added Chelsio VF driver for PCIID 5803;
*) console - added json.no-string-conversion to :serialize;
*) console - increased w60g scan-list size to 6;
*) console - show system-id in export for CHR;
*) container - fixed user and group ID range;
*) container - improved container shell;
*) defconf - do not add default password for CAP mode configuration on older Audience devices without a password;
*) detnet - remove dynamic DHCP client creation;
*) device-mode - added "allowed-versions" list which are allowed to be installed without "install-any-version" mode enabled;
*) device-mode - added routerboard, install-any-version and partitions features;
*) device-mode - limit device-mode update maximum allowed attempt count which can be reset only with reboot or button press;
*) device-mode - provide more precise device-mode update action printout;
*) dhcp-server - improved stability (introduced in v7.17beta4);
*) dhcp-server - use single RADIUS accounting session for IPv4 and IPv6 when dual stack is used (additional fixes);
*) dhcpv6-client - improved system stability when DHCPv6 client is enabled on non-existing interface;
*) dhcpv6-client - log message when response with invalid transaction-id received;
*) dhcpv6-server - added IPv6 address delegation support;
*) dhcpv6-server - improved system stability when removing actively used DHCPv6 server;
*) disk - add support for SWAP, currently allowed on any block device with "set x swap=yes" when container package is installed (CLI only);
*) disk - added "type=file" for file-based block devices, useful for using file as a swap, or when having file-based filesystem images (CLI only);
*) disk - added btrfs filesystems list (CLI only);
*) disk - auto mount iso and squashfs images;
*) disk - fixed managing and cleaning up mount points;
*) disk - fixed raid role auto selection for up to 64 drives;
*) disk - recognize virtual sd* interfaces;
*) disk - show usage as percentage (CLI only);
*) dns - added option to create named DNS servers that can be used as forward-to servers (additional fixes);
*) ethernet - improved linking after reboot for hAP ax lite devices ("/system routerboard upgrade" required);
*) ethernet - improved stability after reboot for Chateau PRO ax;
*) ethernet - improved system stability for CCR2004-1G-2XS-PCIe device;
*) firewall - added support for random external port allocation;
*) firewall - improved matching from deeply nested interface-lists;
*) ftp - added VRF support;
*) gps - LtAP mini, change default GPS antenna for new devices;
*) iot - added additional debug for LoRa logging;
*) iot - added support for USB Bluetooth dongles (LE 4.0+) which enables Bluetooth functionality;
*) iot - LoRa LNS improvement;
*) iot - modbus rework which improves Tx Rx switching behavior;
*) ipsec - ike2 improved process for policies;
*) lte - disabled ims service for Chateau 5G on operator "3 AT" network (PLMN ID 23205);
*) lte - drop operator selection support for R11e-4G modem as it is unreliable;
*) lte - fixed network registration for R11e-4G modem (introduced in v7.17beta2);
*) lte - fixed SMS sender parsing;
*) lte - improved R11eL-EC200A-EU modem firmware upgrade procedure;
*) lte - improvements to modem "firmware-upgrade" command (additional fixes);
*) lte - MBIM increased assignable APN profile count up to 8 then modem firmware allows it;
*) lte - modem firmware update (FOTA), added support to install provider specific version (additional fixes);
*) lte - set "sms-read=no" and "sms-protocol=auto" as default values;
*) modem - KNOT BG77 modem, improved handling of modem unexpected restarts;
*) netinstall - removed unused "Get key" button;
*) netwatch - fixed IP address variable for DNS probe;
*) ospf - improved stability on configuration update;
*) ovpn-client - added tls-crypt, tls-crypt-v2 support;
*) pimsm - improved system stability after interface disable;
*) poe-out - added low-voltage-too-low status;
*) poe-out - reset PoE-out configuration before reboot when using reset-configuration command;
*) poe-out - upgraded firmware for CRS354-48P-4S+2Q+ device (the update will cause brief power interruption to PoE-out interfaces);
*) port - more detailed print command output, include in "USED-BY" property channel number(s);
*) ppp - add routes in matching VRF;
*) ppp - added support for bridge-port-trusted configuration via ppp profile;
*) ppp - do not print local/remote pool related errors in log when configuration does not require pool usage;
*) ppp - fixed typos in log message;
*) ptp - added PTP support for CRS320-8P-8B-4S+ and CRS326-4C+20G+2Q+ devices;
*) ptp - fixed synchronization on QSFP28 interfaces;
*) romon - added dynamic switch rules on devices supporting it when enabling the service;
*) romon - added interface-list support;
*) route - fixed discourse attribute print;
*) route - fixed possible issue with inactive routes after reboot (introduced in v7.16);
*) routing-filter - fixed subtract and add for numerical values (+x, -x);
*) sfp - fixed 1Gbps supported rate for RB960 and RB962 devices;
*) sfp - improved SFP28, QSFP28 interface stability using DAC cable for CRS520 switch;
*) snmp - added wifi fields to MIKROTIK-MIB (additional fixes);
*) ssh - do not regenerate host key after update from RouterOS version older than 7.9;
*) ssh - fixed password authentication (introduced in v7.17beta2);
*) ssh - improved logging;
*) supout - added BGP advertisements section;
*) switch - fixed storm-rate accuracy on 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - improved system stability for RB5009 and CCR2004-16G-2S+ devices;
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU) (additional fixes);
*) vpls - added support for bridge-pvid configuration;
*) webfig - allow download from file details;
*) webfig - reduce flickering when table is sorted by column with duplicate values (additional fixes);
*) wifi - add information to each interface, showing which CAPsMAN manages it or which CAP hosts it when applicable;
*) wifi - added station-roaming support (additional fixes);
*) wifi - fixed failure with "auto" peer update on the OWE interface;
*) wifi-qcom-ac - fix possible conflict between radio and USB initialization on hAP ac2;
*) wifi-qcom-ac - improved CPU load balancing and system stability;
*) winbox - added Enable/Disable buttons under "Tools/Graphing" menus;
*) winbox - allow to edit Ethernet MAC address;
*) winbox - refresh values under "Bridge/VLANs/MVRP Attributes" menu;
*) winbox - renamed wrong invalid interface flag to inactive;
*) x86 - Realtek r8169 updated driver;

What's new in 7.17beta4 (2024-Oct-18 11:32):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) arm64 - fixed for bare-metal servers to be able to access more than 2GB RAM;
*) arm64 - show CPU frequency on bare-metal installations;
*) bridge - correctly display PPP interfaces in VLAN menu;
*) bridge - fixed first host table response for SNMP;
*) bridge - fixed VLAN overlap check;
*) bridge - improved port handling;
*) certificate - fixed handling of capsman-cap certificates (introduced in v7.16);
*) console - added more argument definitions for mac-protocol property;
*) console - execute :return command without error;
*) crypto - improve crypto speeds (additional fixes);
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) defconf - changed wireless installation from "indoor" to "any";
*) defconf - disable 5GHz secondary channel on RB4011;
*) defconf - fixed new port name recognition;
*) device-mode - changed "partition" to allow activate and do not allow repartition (introduced in v7.17beta2);
*) device-mode - clarify message that pressing a button will reboot device;
*) device-mode - limit "/tool/ping-speed" and "/tool/flood-ping" under "traffic-gen" feature;
*) device-mode - show all features and active restrictions with "print" command;
*) dhcp-relay - added "local-address-as-src-ip" property;
*) dhcp-server - use interface ID for NAS-Port and added interface name to NAS-Port-ID attribute in RADIUS requests;
*) dhcp-server - use single RADIUS accounting session for IPv4 and IPv6 when dual stack is used;
*) dhcpv4-client - fixed crash when releasing disabled DHCP client;
*) dhcpv4-server - properly detect DHCP server address when underlying interface has multiple IP addresses configured;
*) dhcpv4-server/relay - added additional error messages for DHCP servers and relays;
*) discovery - added support for LLDP DCBX (additional fixes);
*) disk - added sshfs client to "/disk" menu (CLI only);
*) disk - improve slot naming and improvements for visualizing complex hardware topology;
*) disk - improve test to report zero byte iops;
*) disk - save raid superblock and raid bitmap superblock on member devices in 1.2 format/location;
*) disk - try all NFS versions (4.2,4.1,4.0,3,2) when mounting NFS in that order;
*) dns - added option to create named DNS servers that can be used as forward-to servers (CLI only) (additional fixes);
*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);
*) dns - refactored DNS service internal processes;
*) ethernet - log warning only about excessive broadcast (do not include multicast) and reduced log count;
*) file - do not needlessly scan large filesystems, could prevent unmounting;
*) graphing - fixed graphing rule removal (additional fixes);
*) health - changed PSU state from "no-ac" to "no-input";
*) igmp-proxy - refactored IGMP querier (additional fixes);
*) iot - fixed duplicate LoRa payloads in the traffic tab;
*) iot - limit mqtt publish message size to 32 KB;
*) iot - LoRa traffic tab RSSI now shows proper values for ARM architecture;
*) iot - mqtt improvement to support large payloads and gracefully discard payloads above size limit;
*) iot - removed some LoRa radio related parameters (e.g. RSSI-OFF and Tx-enabled) that were not meant to be changed (additional fixes);
*) ipv6 - added comment property to "/ipv6/nd/prefix" menu;
*) l3hw - improved system stability;
*) l3hw - rate limit error logging;
*) log - added hostname support to remote logging action;
*) log - added regex parameter for log filtering in rules;
*) lte - fixed "default-name" property in export when multiple LTE interfaces are used;
*) lte - fixed "lte monitor" signal reporting for RG520F-EU modem when connected to 5G SA network;
*) lte - fixed "operator" setting for EC200A-EU modem;
*) lte - fixed LTE band setting for SXT LTE 3-7;
*) lte - fixed roaming barring (allow-roaming=no) for EC200A-EU modem;
*) lte - set IPv6 address reporting format in modem init for AT modems and MBIM modems with AT channel;
*) mac-server - allow MAC-Telnet access through any bridged port when bridge interface is allowed;
*) mpls - added fast-path support for VPLS (additional fixes);
*) netwatch - added "ignore-initial-up" and "ignore-initial-down" properties (CLI only);
*) netwatch - fixed probe toggle when adding a comment;
*) ovpn-server - added "user-auth-method" property and allow mschap2 for RADIUS authentication;
*) ppp - added support for bridge-port-pvid configuration via ppp profile (additional fixes);
*) ppp - reuse link-local IPv6 address for static bindings when possible;
*) pppoe - added support for PPPoE server over 802.1Q VLANs (additional fixes);
*) ptp - added PTP support for CRS320-8P-8B-4S+ device;
*) ptp - make PTP process more stable and deterministic when applying configuration;
*) qos-hw - improved PFC behavior (additional fixes);
*) qos-hw - improved WRED and ECN behavior (additional fixes);
*) qos-hw - reworked PCP and DSCP mapping (now supports single, multiple and range values, previous configuration with minimal value mapping is converted to a single value);
*) rip - improved stability when changing metric;
*) route - fixed minor typo in failure message;
*) route - increased interface name length limit in log messages;
*) route - removed possibility for IPv6 routes to specify interface in the dst-address;
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
*) smb - stability improvements for client/server (additional fixes);
*) snmp - added wifi fields to MIKROTIK-MIB;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
*) ssh - improved speed;
*) ssh - prefer GCM ciphers for arm64 and x86 devices when ciphers=auto;
*) storage - preserve permissions,owners,attributes when syncing under "/file/sync";
*) storage,rsync - fixed to work with clients passing "-a" option;
*) supout - added device-mode section;
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU) (additional fixes);
*) system - moved "/system/upgrade" to "/system/package/local-update";
*) vxlan - fixed issue causing to loose IPv6 VTEP address setting;
*) webfig - improved keyboard navigation (additional fixes);
*) webfig - reduce flickering when table is sorted by column with duplicate values (additional fixes);
*) wifi - added extra info to CAPsMAN about message;
*) wifi - fixed "disabled" property in certain cases;
*) wifi - fixed occasional failure to bring up management frame protection and channel switch capabilities;
*) wifi - improved FT roaming with WPA3 for some Apple devices;
*) wifi-qcom - updated regulatory info for Ukraine, Australia and United States;
*) winbox - renamed and moved "System/Auto Upgrade" to "System/Packages" menu;
*) winbox - show MLAG settings for CRS326-4C+20G+2Q+ device;
*) wireless - enable all chains by default for RB911 and RB922 series devices;

What's new in 7.17beta2 (2024-Sep-27 10:07):

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
!) webfig - redesigned HTML, styling and functionality;
*) 6to4 - fixed issue where 6to4 relay would not forward traffic unless destination address is set;
*) adlist - improved system stability;
*) adlist - improved logging;
*) adlist - optimized import on system with low disk space;
*) api - fixed REST API serialization of binary data;
*) arm64/x86 - added missing PCI id for mlx4 driver;
*) bridge - add HW offload support for active-backup bonds on 98DXxxxx, 88E6393X, 88E6191X and88E6190 switches;
*) bridge - added interface-list support for VLANs;
*) bridge - disallow duplicate static VLAN entries;
*) bridge - disallow multicast MAC address as admin-mac;
*) bridge - enable faster HW offloading when detect-internet is disabled;
*) bridge - fixed incorrect HW offloaded port state in certain cases on MSTI add;
*) bridge - fixed missing slave flag on port in certain cases;
*) bridge - fixed port monitor with interface-lists;
*) bridge - fixed port move command;
*) bridge - fixed setting bridge MTU to L2MTU value;
*) bridge - fixed unstable MLAG when host moved between bonds too quickly;
*) bridge - ignore disabled interfaces when calculating bridge L2MTU;
*) bridge - improved stability;
*) bridge - removed support for master port config conversion (used before version 6.41);
*) bth - improved stability on system time change;
*) chr/arm64 - fixed kernel crypto use without crypto extensions for RPi CM4;
*) cloud - changed ddns-enabled setting from "no" to "auto" (service is enabled when BTH is enabled);
*) cloud - improved DDNS and VPN state stability;
*) console - added :range command;
*) console - added group-by property for print command;
*) console - added lf/crlf options to :convert transform;
*) console - added password property to "/system/ssh-exec" command;
*) console - added to/from=num option for :convert command;
*) console - allow clearing history for a specific user;
*) console - allow setting width to supout.rif output;
*) console - clear history when removing user;
*) console - disallow autocomplete hints for user without read policy;
*) console - fixed endless loop when closing input prompt;
*) console - force print paging when output does not fit terminal width;
*) console - improved printing output in some menus;
*) console - improved scripting system stability;
*) console - print warning in CLI after enabling protected bootloader;
*) console - removed "chain" names from print parameter list and show all print parameters in "/ipv6/firewall/filter" directory;
*) container - allow import from .tar.gz file;
*) crypto - improve crypto speeds;
*) device-mode - added "basic" mode and renamed "enterprise" to "advanced";
*) device-mode - added bootloader, downgrade and partitions features;
*) device-mode - allow feature and mode update on x86 via power button and reboot/shutdown from AWS;
*) device-mode - fixed feature and mode update on ARM64 Hetzner;
*) device-mode - fixed feature and mode update via power-reset on MIPSBE devices;
*) dhcpv4-client - correctly handle adding/setting emtpy dhcp-options;
*) dhcpv4-client - respect Renewal-Time (58) and Rebinding-Time (59) options;
*) dhcpv4-server - do not remove options set config when DHCP network is changed;
*) dhcpv4/v6-server - added address-list parameter to which address will be added if the lease is bound;
*) dhcpv6-client - added prefix-address-list parameter;
*) dhcpv6-client/server - added support for DHCPv6 reconfigure messages;
*) dhcpv6-server - include all existing prefixes (with lifetime 0) in renew reply and new prefix if RADIUS returns different prefix;
*) discovery - added support for LLDP DCBX;
*) discovery - use LLDP description field to populate platform, version and board-name;
*) disk - allow to configure global and per disk mountpoint template - [slot],[model],[serial],[fw-version],[fs-label],[fs-uuid],[fs] variables supported;
*) disk - improved system stability;
*) disk - read/show exfat filesystem label;
*) disk - remove 32 character slot name limit;
*) disk - show detailed mountpoint users when unable to unmount;
*) disk,nvme - show nvme namespaces if configured more than one on a nvme drive;
*) dns - added option to create named DNS servers that can be used as forward-to servers (CLI only);
*) dns - DoH whitelist support for adlist using static FWD entries;
*) dns - whitelist support for adlist using static FWD entries;
*) ethernet - improved interface stability for RB4011 devices;
*) fetch - fixed certificate check when provided hostname is IP address;
*) fetch - fixed large file (over 4GB) fetch in HTTP/HTTPS mode;
*) file - correctly identify mounted disks;
*) file - improved handling of changes to the file system;
*) file - support files over 4GB size;
*) file - update file size before trying to request content;
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings;
*) firewall - added warning log for TCP SYN flood;
*) firewall - fixed "dst-limit" and "limit" mathers when using zero value for burst argument;
*) firewall - removed default mangle passthrough=yes configuration from export;
*) graphing - fixed graphing rule removal;
*) graphing - fixed queue graph storing on disk;
*) health - added cpu-overtemp-check on ARM, ARM64 devices (CLI only);
*) health - hide settings in CLI if there is nothing to show;
*) health - removed board-temperature on RB5009UPr+S+IN device;
*) igmp-proxy - refactored IGMP querier;
*) ike2 - improved performance by balancing multicore CPU usage for key exchange calculation also for initiator;
*) iot - added an option to print out LoRa traffic in CLI (not GUI-only option anymore);
*) iot - added new LoRa traffic FCnt packet counter parameter;
*) iot - bluetooth peripheral device menu now displays correct iBeacon major/minor values;
*) iot - fixed incorrect LoRa joineui filter export behavior;
*) iot - improvements to LoRa device's stats tab;
*) iot - removed crc-disabled and crc-error options from the LoRa forwarding;
*) iot - removed LoRa pause traffic option/setting;
*) iot - removed some LoRa radio related parameters (e.g. RSSI-OFF and Tx-enabled) that were not meant to be changed;
*) ipv6 - added IPv6 settings related to stale IPv6 neighbor cleanup;
*) isis - do not disable fast-path when isis is enabled on an interface;
*) isis - fixed console flags;
*) isis - fixed invalid L2 LSP type;
*) isis - make it work when MTU is larger than 1500;
*) isis - update interface MAC address on change (caused neighbor to stuck in init state);
*) kid-control - use time format according to ISO standard;
*) leds - fixed issue where interface LEDs might not properly disable in some cases;
*) log - added basic validation for "disk-file-name" property;
*) log - use time format according to ISO standard;
*) lte - added option to check/install modem firmware from early-access/testing channel (CLI only);
*) lte - added provider specific firmware update (FOTA) for Cosmote GR networks on Chateau 5G;
*) lte - fixed long "PLMN search in progress" for SXT 3-7;
*) lte - fixed signal info reporting for FG621-EA modem in UMTS network;
*) lte - improved modem FW upgrade for Chateau 5G;
*) lte - improvements to modem "firmware-upgrade" command;
*) lte - modem firmware update (FOTA), added support to install provider specific version;
*) lte - removed trailing "F" symbol from uicc;
*) mac-telnet - use ASCII DEL as erase/backspace char instead of BS (fixes mac-telnet backspace for WinBox4);
*) macvlan - improved error when trying to create new interface on already busy parent interface;
*) macvlan - updated driver;
*) mpls - added fast-path support for VPLS;
*) mpls - added MPLS mangle support;
*) mpls - added support for "ICMP Fragmentation needed";
*) mpls - do no drop LDP peering session on PW deactivation;
*) mpls - do not reconnect VPLS on name or comment changes;
*) netinstall - save and restore device-mode configuration on format;
*) netinstall-cli - added "-o" option to install devices only once per netinstall run;
*) netinstall-cli - fixed x86 detection;
*) ospf - fixed memory corruption;
*) ovpn - added VRF support to OVPN server (server menu now supports multiple entries and previous server configuration is automatically imported);
*) ovpn - improved system stability;
*) poe-out - upgraded firmware for PSE (BT) controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) ppp - added support for bridge-port-pvid configuration via ppp profile;
*) ppp - set APN/PDN type "IPv4/v6" according assigned PPP profile protocol setting;
*) pppoe - added support for PPPoE server over 802.1Q VLANs;
*) profiler - classify ppp processing;
*) profiler - improved process classification;
*) profiler - renamed radv process to radvd;
*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding;
*) ptp - added option to configure L2 transport with forwardable and non-forwardable MAC destination;
*) ptp - display warning when none of the PTP ports has a link;
*) ptp - restrict configuring g8275 profile with IPv4 transport;
*) qos-hw - allow to disable/enable profiles, disabled or removed profile gets replaced with the default;
*) qos-hw - enabling PFC on port also requires setting egress-rate-queueN;
*) qos-hw - fixed export when changing default Tx Manager;
*) qos-hw - fixed incorrect port byte-use counter;
*) qos-hw - improved PFC behavior;
*) qos-hw - improved WRED and ECN behavior;
*) qos-hw - rename pfcN-pause and pfcN-resume to pfcN-pause-threshold and pfcN-resume-threshold;
*) qos-hw - switch-cpu port trust settings are forced to "keep";
*) queue - improved system stability when too many simple queues are added;
*) quickset - added "LTE AP" quickset profile with one wifi interface;
*) romon - send uptime in discovery (CLI only);
*) rose-storage - allow to set iscsi-iqn only when type=iscsi and allow nvme-tcp-name only when type=nvme-tcp;
*) rose-storage - do not allow to format exported disks;
*) rose-storage - enable autocomplete for local-path property in "/file/sync" menu;
*) rose-storage - enable more threads for faster RAID sync;
*) rose-storage - ensure unique nvme-tcp-names for nvme-tcp clients;
*) rose-storage - improved error messages;
*) rose-storage - improved system stability;
*) rose-storage,raid - improved stability of degraded arrays on startup;
*) rose-storage,raid - store superblock in 1.2 format, show raid super block info when detected to help with reassembling arrays;
*) route - improved stability;
*) routerboot - fixed boot MAC for MIPSBE CRS3xx and CRS5xx switches ("/system routerboard upgrade" required);
*) rsync - fixed when used over ssh and spaces in directory names;
*) sfp - fixed linking with 1Gbps optical modules with "combo-mode=sfp" configuration for CRS312 device;
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices;
*) sfp - improved initialization and linking for some SFP modules;
*) sfp - improved power control configuration for QSFP optical modules according to the EEPROM field;
*) sfp - improved SFP auto-negotiation for L22, L23 devices;
*) smb - stability improvements for client/server;
*) socks - fixed comment property for access configuration;
*) ssl/tls - improved performance;
*) sstp - added pfs=required option to allow only ECDHE during TLS handshake;
*) supout - print non BGP and OSFP routes if route list is too large;
*) supout - reduce minimal RAM required for export to be included;
*) supout - use separate LTE section;
*) switch - added "all" argument for "new-dst-ports" switch rule property for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - added IPv6 flow label matching in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow bond interfaces in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow matching network bitmask for IPv4 and IPv6 dst/src-address properties in switch rule;
*) switch - disallow switch-cpu in "ports" and "new-dst-ports" rule properties for CRS3xx, CRS5xx, CCR2116, CCR2216 and RB5009 devices;
*) switch - fixed L2MTU for 25Gbps ports;
*) switch - fixed RSPAN error message when using mirror-target=cpu;
*) switch - fixed rule disable in certain cases for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - fixed wrong MAC learning when port learning is disabled for 88E6393X, 88E6191X and 88E6190 switch chips;
*) switch - force "mac-protocol" when matching IPv4 or IPv6 specific properties;
*) switch - improved CPU performance for CRS328-24P-4S+ switch;
*) switch - make switch rule "ports" property not required and unsettable (allows matching packets on all switch ports);
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU);
*) system - make ICMP error source address selection configurable (icmp-errors-use-inbound-interface-address parameter in ip settings);
*) system - make TCP timestamp handling configurable (tcp-timestamps parameter in ip settings);
*) upnp - rename service description file from gateway_description.xml back to gateway.xml;
*) user-manager - improved stability;
*) vrf - fixed packet handling with enabled queues;
*) webfig - added search option for settings;
*) webfig - fixed uploading files with Windows style newlines;
*) webfig - hide inherited wifi password;
*) webfig - improved keyboard navigation;
*) webfig - reduce flickering when table is sorted by column with duplicate values;
*) webfig - Skin Designer moved to centralized page;
*) webfig - status page is deprecated, old status page config will work, but can't be updated or created;
*) webfig - support unicode strings;
*) wifi - added a debug log entry when switching channel;
*) wifi - added ability to set security.owe-transition-interface to "auto";
*) wifi - added access-list stats (CLI only);
*) wifi - added configuration.installation property to limit use of indoor-only channels;
*) wifi - added debug log messages on station authentication mismatch;
*) wifi - added last-activity property in registration table;
*) wifi - added multi-passphrase (PPSK) support (CLI only);
*) wifi - added option to reset MAC address (CLI only);
*) wifi - added station-roaming support;
*) wifi - allow IPv6 LL address in caps-man-addresses;
*) wifi - disabled 802.11h on 2.4GHz station;
*) wifi - fixed failure to resume operation after DFS non-occupancy period has elapsed;
*) wifi - fixed the "no available channels" message still being displayed after a setting change has made some channels available;
*) wifi - indicate radios' ability to perform a channel switch in their "hw-caps" attribute;
*) wifi - indicate which channels are subject to DFS, or are indoor-only in output of "monitor" command;
*) wifi - re-word the "SA Query timeout" log message to "not responding";
*) wifi - show authentication type and wireless standard used by each client in registration table;
*) wifi - show regulatory limits on maximum bandwidth in output of radio/reg-info command;
*) wifi - when operating in station mode, log more information when AP switches to an unsupported channel;
*) wifi-qcom - added Superchannel country profile;
*) wifi-qcom-ac - allow use of channel 144 under "Japan" regulatory domain;
*) winbox - added "Scan" and "Test Disks" features under "System/Disks" menu;
*) winbox - added MAC address support for "Group" property under "Bridge/MDB" menu;
*) winbox - added missing properties under "IP/Neighbors" menu;
*) winbox - fixed duplicate timezone names;
*) winbox - fixed typo in "System/Reset Configuration" menu;
*) winbox - minimal required version is v3.41;
*) wireguard - do not initiate handshake when peer is configured as responder;
*) wireless - added option to reset MAC address (CLI only);
*) wireless - added vlan-id to registration-table;
*) wireless - allow to set Canada2 country profile when locked with US lock package for CubeG device;
*) wireless - fixed antenna gain for SXT5ac device;
*) wireless - preserve configured country while using setup-repeater, added "country" argument (CLI only);
*) zerotier - added debug logging;
*) zerotier - do not show default settings in export;
*) zerotier - upgraded to version 1.14.0;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.
 
blacksnow
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Wed Feb 15, 2023 4:46 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:26 pm

Damn, you guys are killing it. Solid work, thank you!
Last edited by blacksnow on Fri Sep 27, 2024 4:59 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:29 pm

And just before the weekend ... :lol:
 
parham
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Feb 15, 2015 11:35 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:31 pm

Thanks for ZT update, have a good weekend all.

*) zerotier - upgraded to version 1.14.0;
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:40 pm

Hi,

Does it have the same changes as the v7.17ab57 version provided by the MikroTik team for a possible IPsec policy solution?

Regards,
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:44 pm

ab57 is newer than beta2
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:45 pm

ab57 is newer than beta2
Thanks Normis, have a nice weekend and thanks for your hard work.

Regards,
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 4:59 pm

*) dns - whitelist support for adlist using static FWD entries;
Thanks, trying now!
 
blacksnow
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Wed Feb 15, 2023 4:46 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:01 pm

One tiny nitpicky thing, "Licence" on the login page is different than the "License" under /system. Can we standardize on a spelling? Either one is technically correct, one is old english and the other is new english.
 
jfim88
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue May 07, 2024 8:57 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:07 pm

*) igmp-proxy - refactored IGMP querier;
Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)
 
S8T8
Member Candidate
Member Candidate
Posts: 127
Joined: Thu Sep 15, 2022 7:15 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:10 pm

This is a game-changer
*) wifi - added multi-passphrase (PPSK) support (CLI only);
 
erlinden
Forum Guru
Forum Guru
Posts: 2585
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:18 pm

Got it running, besides from working (as expected) I really like the Auth Type and Band in Wifi Registration!
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:31 pm

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Oh! 😳

I have some remote Chateau (and other) devices with partitions. After update to 7.17beta2 and later I can not switch the active partition if the backup partition booted for what ever reason?
 
victorbayas
just joined
Posts: 16
Joined: Wed Aug 07, 2024 1:56 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:32 pm

*) wifi-qcom - added Superchannel country profile;
Nice!
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:34 pm

Thank Gooood for PPSK... Truly a great day... Will test it as soon as possible. Great job Mikrotik !!
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:36 pm

After update CAPsMAN with wireless package stopped working, in the log there are tons of:
CAP failed to join MikroTik (::ffff:127.0.0.1:5246)
CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:37 pm

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Oh! 😳

I have some remote Chateau (and other) devices with partitions. After update to 7.17beta2 and later I can not switch the active partition if the backup partition booted for what ever reason?
you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:38 pm

*) mpls - added fast-path support for VPLS;
This is huge, anyone has any performance improvement numbers?
 
jfim88
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue May 07, 2024 8:57 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:40 pm

*) igmp-proxy - refactored IGMP querier;
Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)
My illusion vanished. Tested and still having the TV cuts.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:41 pm

you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
Sure, I got that... But devices are remote and I do not have physical access...

Definitely something to be handled with care.
 
STMT
MikroTik Support
MikroTik Support
Posts: 8
Joined: Tue Aug 30, 2022 12:02 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 5:42 pm

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Oh! 😳

I have some remote Chateau (and other) devices with partitions. After update to 7.17beta2 and later I can not switch the active partition if the backup partition booted for what ever reason?
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
The device-mode can be changed by the user, but remote access to the device is not enough to change it.
/system/device-mode/update partitions=yes
After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power.
https://help.mikrotik.com/docs/display/ROS/Device-mode
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:00 pm

*) wifi - show authentication type and wireless standard used by each client in registration table;
Awesome! Only submitted this as a feature request (SUP-158802) mid of July. Now it already happened. This is real great job! Thank you, Mikrotik team!
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:03 pm



Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)
My illusion vanished. Tested and still having the TV cuts.
Refactoring does not change functionality or fix bugs. It is just a process of "restructuring"/cleanup source code.
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:18 pm

Do I understand correctly, that after upgrading to 7.17beta2, ROS downgrade will be available ONLY by changing the upgrade channel?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:26 pm

No. You will have to enable downgrade in device-mode, after that it works as before.
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Posts: 165
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:31 pm

Awsome Change log Mikrotik Team.

Wish if we can get MPLS/VPLS and PPPOE Multi core processing feature will be a real game changer
 
User avatar
CTassisF
newbie
Posts: 36
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:40 pm

I've just upgraded my RB5009, hAP ax3 and hAP ac3 from v7.16rc5 to v7.17beta2 and so far so good.

I just noticed that:
  1. An OpenVPN server was created during the upgrade. Fixed that with /interface/ovpn-server/servers/remove [find]; and
  2. /zerotier now shows disabled=no disabled=no.

Other than that, a very clean upgrade despite the lengthy changelog. Good work MikroTik!
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:40 pm

So PPSK is available only on ax devices ?
Only supported on wifi-qcom interfaces, if wifi-qcom-ac AP has a client that uses a passphrase that has vlan-id associated with it, the client will not be able to join.
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:49 pm

No. You will have to enable downgrade in device-mode, after that it works as before.
How then should we understand this?
From https://help.mikrotik.com/docs/display/ROS/Device-mode
Note, downgrade mode does not allow to run /system package downgrade command, but you can switch between RouterOS release channels (stable, testing, etc.) and change RouterOS versions.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 6:56 pm

After upgrade to 7.17beta2, my RB1100AHx4 test router upgraded no problem. However...a ROSE RAID "disk" did not mount.
ROSE-not-working-v7.17beta2.png
I rebooted and still did not mount. I removed the RAID "disk", and re-added it again, still did not work. I disabled/renabled the new raid disk, and then it come up without any data loss. But it should have come up mounted already...

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
The device-mode can be changed by the user, but remote access to the device is not enough to change it.
Since y'all making changing in device-mode... One request is there be some netinstall option (or another tool) to set the device-mode upon provisioning, since it not the convenient to set if you deal with many routers. Since physical access is required for netinstall, I don't think that changes the security modem. For CPEs, it be nice to restrict more in device-mode...but that not so easily automated. For my case, being able to set device-mode, without a power-cycle, from a netinstall/branding defconf (/system/default-configuration) be ideal.
You do not have the required permissions to view the files attached to this post.
 
riv
newbie
Posts: 30
Joined: Wed Jun 07, 2006 4:16 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:15 pm

BGP still missing ibgp-rr-client local.role since 7.16
 
User avatar
clambert
Member Candidate
Member Candidate
Posts: 160
Joined: Wed Jun 12, 2019 5:04 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:19 pm

*) mpls - added fast-path support for VPLS;
Is there any updated documentation on fast-path? The information I could find is very outdated (https://help.mikrotik.com/docs/pages/vi ... S-FastPath).
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7175
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:27 pm

BGP still missing ibgp-rr-client local.role since 7.16
It will be missing because ibgp-rr-client had no special meaning, it is the same as ibgp.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:27 pm

How then should we understand this?
From https://help.mikrotik.com/docs/display/ROS/Device-mode
Note, downgrade mode does not allow to run /system package downgrade command, but you can switch between RouterOS release channels (stable, testing, etc.) and change RouterOS versions.
You can still downgrade from 7.17beta2 to 7.16 by switching the channel from testing to stable. That works for the versions channels only.

But you can not upload old npk files and run the downgrade command by default. For that you need to enable the downgrade feature in device-mode.
 
rpingar
Long time Member
Long time Member
Posts: 593
Joined: Fri May 28, 2004 2:46 pm
Location: Italy

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:32 pm

may you clarify this?
*) pppoe - added support for PPPoE server over 802.1Q VLANs;

regards
 
riv
newbie
Posts: 30
Joined: Wed Jun 07, 2006 4:16 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:49 pm

BGP still missing ibgp-rr-client local.role since 7.16
It will be missing because ibgp-rr-client had no special meaning, it is the same as ibgp.
I'm losing l2vpn routes ever since 7.16
So it's either l2vpn is broken , or ibgp-rr-client does have effect

Because up to 7.15.3 ( which does have ibg-rr-client functionality ) , BGP l2vpn works
 
Guntis
MikroTik Support
MikroTik Support
Posts: 203
Joined: Fri Jul 20, 2018 1:40 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:50 pm

"So PPSK is available only on ax devices" - no the limitation is only if you use vlan-id. You can still use multi-passphrase feature on wifi-qcom-ac interfaces, it's just that you can't use entries that would assign vlan-id. "vlan-id" will only work with wifi-qcom interfaces.
 
riv
newbie
Posts: 30
Joined: Wed Jun 07, 2006 4:16 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 7:53 pm

on 7.16 and above
> routing/route/print where afi=l2vpn
Flags: H - HW-OFFLOADED
Columns: DST-ADDRESS, AFI
  DST-ADDRESS  AFI  
H 56286:100    l2vpn
before 7.16
> routing/route/print where afi=l2vpn
Flags: U - UNREACHABLE, A - ACTIVE; b - BGP; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
     DST-ADDRESS  GATEWAY   AFI    DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW        
 bH+ 56286:100    10.1.4.1  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
AbH+ 56286:100    10.1.4.1  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
AbH+ 56286:100    10.1.4.2  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
 bH+ 56286:100    10.1.4.2  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
UbH  56286:100    10.2.4.2  l2vpn       200     40            30                      
UbH  56286:100    10.2.4.2  l2vpn       200     40            30                      
  H  56286:100              l2vpn         0                                           
UbH  56286:100    10.2.4.2  l2vpn       200     40            30                      
  H  56286:100              l2vpn         0                                           
UbH  56286:100    10.2.4.2  l2vpn       200     40            30                      
UbH  56286:100    10.2.4.2  l2vpn       200     40            30                      
  H  56286:100              l2vpn         0                                           
 bH+ 56286:100    10.3.4.1  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
AbH+ 56286:100    10.3.4.1  l2vpn       200     40            30  100.121.4.5%vlan2142
                                                                  100.122.4.5%vlan2242
 
daaf
just joined
Posts: 11
Joined: Sun Jan 12, 2020 4:39 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:16 pm

On hAP ax3
[admin@roca] /interface> print group-by=running 
group-by is to be used with count-only or show-ids
[admin@roca] /interface> /ip route                 
[admin@roca] /ip/route> print group-by=vpn 
group-by is to be used with count-only or show-ids
[admin@roca] /ip/route> 
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:31 pm

"So PPSK is available only on ax devices" - no the limitation is only if you use vlan-id. You can still use multi-passphrase feature on wifi-qcom-ac interfaces, it's just that you can't use entries that would assign vlan-id. "vlan-id" will only work with wifi-qcom interfaces.
What a pity. Assigning VLAN ID is a major use case. I hope that wifi-qcom-ac overcomes this restriction here and also in datapath one day.
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 03, 2015 12:03 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:36 pm

you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
We have ~2000 devices high up on towers, some of them hundreds of kilometers away. Are you saying that once we upgrade to v7.17, we won't be able to downgrade them to an older version? That's a big yikes.
Last edited by FezzFest on Fri Sep 27, 2024 8:41 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:40 pm

on 7.16 and above
> routing/route/print where afi=l2vpn
Flags: H - HW-OFFLOADED
Columns: DST-ADDRESS, AFI
  DST-ADDRESS  AFI  
before 7.16
> routing/route/print where afi=l2vpn
Flags: U - UNREACHABLE, A - ACTIVE; b - BGP; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
     DST-ADDRESS  GATEWAY   AFI    DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW        
The width of the current terminal does affect how many columns it outputs.... sure it ain't that?
 
User avatar
pants6000
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Fri Sep 26, 2014 5:30 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:48 pm

Would it be possible to have the upgrade process look at something in the pre-upgraded configuration to determine what the device-mode would be afterwards? Like maybe something in /system/note or some other text field that already exists in older versions, something like that? Or maybe a script that can set the option without having to put hands on the device to change it afterwards?
 
LionB12
just joined
Posts: 4
Joined: Fri Jun 09, 2023 5:32 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:50 pm

I am having issues with the beta on my RB5009, I have some stability issues with the SFP+ to RJ45 modules, even at 1G.
Also I am no unable to set the CPU frequency, something that was possible on 7.16.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:51 pm

"So PPSK is available only on ax devices" - no the limitation is only if you use vlan-id. You can still use multi-passphrase feature on wifi-qcom-ac interfaces, it's just that you can't use entries that would assign vlan-id. "vlan-id" will only work with wifi-qcom interfaces.
Understood, but as @infabo stated assigning VLANs is a major use case here. But in my case it doesn't matter much. All of my devices at home are ax.
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:53 pm

Thanks for ZT update, have a good weekend all.

*) zerotier - upgraded to version 1.14.0;
+1
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:55 pm

*) mpls - added fast-path support for VPLS;
This is huge, anyone has any performance improvement numbers?
I'm interested too! :P
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 8:59 pm

On the stats from 7.16 to 7.17beta2, there are +74 new commands and +803 new attributes (although the "group-by" gins up the numbers since that in a lot of places ;))

*) zerotier - upgraded to version 1.14.0;
+1


There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1049
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:18 pm

I must say, R0S 7.x is shaping quite nicely. Up until... 7.12? it was quite a bumpy ride, but things are shaping up really well lately.. I think the worst teething problems are over, and now Mikrotik found its pace. These later versions have a much more... solid feeling. Of course, we still need feature parity with 6.x, but recently I've got the feeling things are more "business as usual" than before.

And the 7.17 changelog is really good. :D
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:20 pm

I agree.
 
guipoletto
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Sep 19, 2011 5:31 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:33 pm

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;

Please re-evaluate this

For SOHO devices managed by an end-user, this makes some sense

But for managed (and already deployed!) networks with hundreds of devices, mounted in inaccessible datacenter cages, ceilings and towers

The inability to switch partitions back, and/or downgrade to a previous working version is an absolute incentive to never-ever upgrade
This must be at least delayed until 7.x has a long-term channel
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:42 pm

you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
Sure, I got that... But devices are remote and I do not have physical access...

Definitely something to be handled with care.
I agree that this is BAD. I always put a second partition on routers, and do all upgrades remotely.
Now I would have to physically visit all the routers at the time I upgrade to 7.17 to get partition functionality back again???

Even worse: I assume the auto-switching of partitions on boot failure remains, and when due to a spiky power failure the router reboots to another partition I will no longer be able to switch it back to the partition it is supposed to run on, remotely???

I think such a change at least should have a workaround. E.g. on upgrade to 7.17 we can pass some parameter or put some file on the router so that it will automatically set the device mode compatible with what it was before.
Maybe even always do that when there are multiple partitions on the device, and perform that newfangled functionality only when a new partition is created with 7.17 already present, or when the user indicates he wants to.

While I understand that partitions could be abused by an attacker, effectively crippling them as part of an upgrade is a bad idea.
 
riv
newbie
Posts: 30
Joined: Wed Jun 07, 2006 4:16 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:43 pm


The width of the current terminal does affect how many columns it outputs.... sure it ain't that?
Very sure
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:52 pm

*) mpls - added MPLS mangle support;
Yes, Mikrotik, thank you! This was needed for so long.

Looks like documentation/examples are already available:

https://help.mikrotik.com/docs/display/ ... LS+Queuing

This is a huge feature for us, fantastic news.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 9:54 pm

The width of the current terminal does affect how many columns it outputs.... sure it ain't that?
Very sure
Hmm, I couldn't repo in 7.17beta, RB1100AHx, WinBox4 terminal:
routing/route/print where afi~"ip6" 
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, d - DHCP; H - HW-OFFLOADED; B - BLACKHOLE
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
     DST-ADDRESS                  GATEWAY           AFI  DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW    
Ac   ::1/128                      lo                ip6         0     10             5  lo              

Still I'd try winbox, or ssh if already using winbox... Maybe something broke here, dunno... just your TERMCAPS be my first bet.
 
hagoyi
newbie
Posts: 33
Joined: Wed May 17, 2023 8:36 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 11:34 pm

*) dns - DoH whitelist support for adlist using static FWD entries;
*) dns - whitelist support for adlist using static FWD entries;
May you please make some samples, how to?
 
llag
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sat Aug 04, 2018 12:12 am

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 11:44 pm

*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices;
*) sfp - improved initialization and linking for some SFP modules;

Is this the fix for the Zaram xgspon modules? Can you please give a bit more details?
Last edited by llag on Sat Sep 28, 2024 1:03 am, edited 1 time in total.
 
bp0
newbie
Posts: 34
Joined: Thu May 06, 2021 5:06 pm

Re: v7.17beta [testing] is released!

Fri Sep 27, 2024 11:48 pm

Upgrade from 7.16 to 7.17beta2 changed /ip/neighbor/discovery-settings/mode from rx-only to tx-and-rx.
 
lilianmoraru
just joined
Posts: 1
Joined: Thu Aug 03, 2023 8:31 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 12:02 am

*) leds - fixed issue where interface LEDs might not properly disable in some cases;
Would be nice if you added the ability to disable LEDs on CRS310-8G+2S+, if that is possible.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2180
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 2:05 am

Awsome Change log Mikrotik Team.

Wish if we can get MPLS/VPLS and PPPOE Multi core processing feature will be a real game changer
What's new in 7.17beta2 (2024-Sep-27 10:07):
*) mpls - added fast-path support for VPLS;

Should help with the first one, have you tested it ?
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 2:42 am

how is the ax devices going with the wifi and roaming guys?
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2180
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:12 am

*) pppoe - added support for PPPoE server over 802.1Q VLANs;

Can we please get some documentation on this feature. Its potentially a game changer...
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 5:09 am

Up dated all my AX hap and cap devices with firmwares all seems to be working so far but early days
Should i wipe out my wifi config back to default with only ssid and passphrase intalled and test it??
as i have changed a few things from previous ros to get the ax to play nice or should i leave it and say it is ok??
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 7:32 am

i Just had the openvpn as well what is it? and why did it get intalled and enabled??
i had
possible SYN flooding on tcp port 2828
this is why i went looking for what and why and how

havent looked at zeroter yet as i dontr have it installed nor do i use it

I've just upgraded my RB5009, hAP ax3 and hAP ac3 from v7.16rc5 to v7.17beta2 and so far so good.

I just noticed that:
  1. An OpenVPN server was created during the upgrade. Fixed that with /interface/ovpn-server/servers/remove [find]; and
  2. /zerotier now shows disabled=no disabled=no.

Other than that, a very clean upgrade despite the lengthy changelog. Good work MikroTik!
 
riv
newbie
Posts: 30
Joined: Wed Jun 07, 2006 4:16 am

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 8:38 am


Very sure
Hmm, I couldn't repo in 7.17beta, RB1100AHx, WinBox4 terminal:
routing/route/print where afi~"ip6" 
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, d - DHCP; H - HW-OFFLOADED; B - BLACKHOLE
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
     DST-ADDRESS                  GATEWAY           AFI  DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW    
Ac   ::1/128                      lo                ip6         0     10             5  lo              

Still I'd try winbox, or ssh if already using winbox... Maybe something broke here, dunno... just your TERMCAPS be my first bet.
My case is for BGP signaled VPLS, using Cisco route reflector
l2vpn and l2vpn-cisco afi

I don’t run any other afi, even ip

It stops working since 7.16 beta
Tried on PPC RB1100AHx2 and ARM CRS326 and CRS328
 
liviu2004
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 9:01 am

*) health - removed board-temperature on RB5009UPr+S+IN device;
why?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1389
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 9:06 am

*) mpls - added fast-path support for VPLS;

is there any flag that we can that this is running?
 
phin
just joined
Posts: 21
Joined: Mon Dec 04, 2017 11:25 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 9:13 am

*) adlist - optimized import on system with low disk space;

Worked well on my hap ac2's. 260+ entry list.

However, they would no longer operate as caps, so i reverted back for the time being.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1389
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 10:06 am

*) ovpn - added VRF support to OVPN server (server menu now supports multiple entries);
This si bing one. Well done
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 11:05 am

*) health - removed board-temperature on RB5009UPr+S+IN device;
why?
Well, I noticed that the value is ridiculous. On most devices it is higher than CPU temperature, one one device even 10 degrees higher.
Probably someone has researched that and concluded that the circuitry is wrong and the value cannot be used.
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 11:38 am

Hello Mikrotik team,

I have 2 questions:
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
1. what does bootloader restriction do?
2. can you allow partitions feature in advanced mode if it is used in production already?

Something like:
system/device-mode/update mode=advanced partitions=yes

Why?
I have devices with not easy physical access to it and I use partitions for upgrades. After upgrade when the device does not have connectivity, the script changes the active partition back to original pre-upgrade one and reboots to previous working state.

This change would break it and need of visit all devices physically.
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 11:39 am

*) adlist - optimized import on system with low disk space;

Worked well on my hap ac2's. 260+ entry list.

However, they would no longer operate as caps, so i reverted back for the time being.
Same also for me, I will wait for the new beta with CAPsMAN working 😅
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 11:49 am

Hi,

v7.17Beta2 and v7.17ab57. They cause me a "high" CPU consumption, IPSEC process. Reverting to v7.16 "stabilizes" the CPU, but policies may become stuck again, we'll see over the weekend.

Image


Regards,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3339
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:10 pm

Good to see new beta releases :)
But sad to see no information about fixing the broken log format. :(
Have waited 7 year, so can wait some more ;)
viewtopic.php?t=124291
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 914
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:14 pm

Jotne, could you please stop reminding everyone on this forum about the logging prefix/format. It is annoyingly repetitive and not (see opening post) "strictly related to this particular RouterOS release."
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3339
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:28 pm

I will do when rfc 5424 is implemented. MT told this may wait to a mayor new release.
As far as I see there are several mayor new function even i this release, all marked !)
Like these two:
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
!) webfig - redesigned HTML, styling and functionality;

You do not need to read my posts.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:34 pm

*) dhcpv4-client - respect Renewal-Time (58) and Rebinding-Time (59) options;
*) dhcpv6-client/server - added support for DHCPv6 reconfigure messages;
*) dhcpv6-server - include all existing prefixes (with lifetime 0) in renew reply and new prefix if RADIUS returns different prefix;
Hurray! Hurray!
Years and years and maybe now will respect the RFC!

I will test it as soon as possible!

But if it really works, operators of IPoE with MikroTik CPEs will thank you a lot!
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 3:54 pm

Hi,

v7.17Beta2 and v7.17ab57. They cause me a "high" CPU consumption, IPSEC process. Reverting to v7.16 "stabilizes" the CPU, but policies may become stuck again, we'll see over the weekend.
*) crypto - improve crypto speeds;
🤔
 
rpingar
Long time Member
Long time Member
Posts: 593
Joined: Fri May 28, 2004 2:46 pm
Location: Italy

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 4:15 pm

*) pppoe - added support for PPPoE server over 802.1Q VLANs;

Can we please get some documentation on this feature. Its potentially a game changer...
it is huge!
we tested in the lab.
No need to have the vlan interfaces created on the ethernet interface, just one pppoe-server specifying all the vlan id where it could work and applied on the ethernet interface.
And all the pppoe-client on the vlans get authenticated!
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 4:44 pm

*) zerotier - upgraded to version 1.14.0;
Thanks for ZT update, have a good weekend all.
+1
There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
Has anyone checked if private moons support is really working?
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 5:03 pm

There are many expectations among the most active users regarding MPLS performance optimization.

My personal expectation is that MPLS ingress/egress (PE) will have the same type of performance as label swapping, being done in hardware offload.
viewtopic.php?p=1097834#p1097834


Nithinkumar2000 frequently requests that this type of traffic be forwarded using MultiThreading.
Wish if we can get MPLS/VPLS and PPPOE Multi core processing feature will be a real game changer
Both requests are well-founded!

On this latest beta release what we had was:
*) mpls - added fast-path support for VPLS;

I may be wrong, but what has come so far (fast-path) despite meaning a very good performance gain, is neither hardware offload nor multithreading support, right?

I imagine it is a step closer to taking this to hardware offloading, but it is not there yet.

Could the MikroTik guys explain this better?
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 5:22 pm

*) pppoe - added support for PPPoE server over 802.1Q VLANs;

Can we please get some documentation on this feature. Its potentially a game changer...
it is huge!
we tested in the lab.
No need to have the vlan interfaces created on the ethernet interface, just one pppoe-server specifying all the vlan id where it could work and applied on the ethernet interface.
And all the pppoe-client on the vlans get authenticated!
Sounds like the "stacked-vlan-ranges dynamic-profile" for vlan demux of Junos, or the "user-vlan any-other" of Huawei.
But the lack of documentation scares me a bit.

What if I want that one specific vlan on a range operates on a different profile?
What if I want that one specific vlan dot not listen PPPoE?
Last edited by fischerdouglas on Mon Sep 30, 2024 11:53 am, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 6:21 pm

No need to have the vlan interfaces created on the ethernet interface, just one pppoe-server specifying all the vlan id where it could work and applied on the ethernet interface.
What if I want that one specific vlan on a range operates on a different profile?
What if I want that one specific vlan dot not listen PPPoE?
I don't need this but I can see in ISP world how this be handy: benefits of VLANs for switching and PPPoE for accounting/etc.

My crystal ball tells me there is a new "pppoe-over-vlan-range=1001-1999" on /interface/pppoe-server/server. So appears you specify a single range of VLANs to use. And, while not documented, I'd hope if it's not in that range (or untagged)... it should be ignore by the PPPoE server.

So to @fischerdouglas point, and since in beta, the "pppoe-over-vlan-range=" should actually accept a comma and/or multiple ranges. It apparently right now is exactly one range. I would have expected something like pppoe-over-vlan-range=100,200-299,1010-1020 to work - but it really only a single range with "-" that's accepted. So if you want just one VLAN, it's still a range. And if the VLANs you'd like to use that are not continuous, well, they'd have to be to use "PPPoEoVLAN" feature.
 
liviu2004
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 6:26 pm



why?
Well, I noticed that the value is ridiculous. On most devices it is higher than CPU temperature, one one device even 10 degrees higher.
Probably someone has researched that and concluded that the circuitry is wrong and the value cannot be used.
It is still advertised as having PCB temperature monitor:

PCB temperature monitor Yes

https://mikrotik.com/product/rb5009upr_s_in

I get your explanation, might be so, or not, could be that the sensor is in a hot spot. Or an offset could be added to correct errors.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 6:48 pm

My crystal ball tells me there is...
Hey @Amm0, It probably will sound weird... haha
But your crystal ball is fantastic!

Your code? Gooood!
I will take a look on it this weekend.

In my opinion, It surely is a thing to be on Useful user articles .

Unfortunately I do not doubt of the possibility of some effort of them to avoid that kind of transparency.
 
User avatar
Kanzler
Member Candidate
Member Candidate
Posts: 135
Joined: Wed Oct 05, 2022 6:55 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 6:53 pm

*) wifi-qcom - added Superchannel country profile;
Impossible for wifi-qcom-ac?
Last edited by Kanzler on Sat Sep 28, 2024 7:32 pm, edited 1 time in total.
 
patrick7
Member
Member
Posts: 351
Joined: Sat Jul 20, 2013 2:40 pm

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 7:30 pm

What a pity. Assigning VLAN ID is a major use case. I hope that wifi-qcom-ac overcomes this restriction here and also in datapath one day.
That already works with RADIUS.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.17beta [testing] is released!

Sat Sep 28, 2024 8:05 pm

Hi,

v7.17Beta2 and v7.17ab57. They cause me a "high" CPU consumption, IPSEC process. Reverting to v7.16 "stabilizes" the CPU, but policies may become stuck again, we'll see over the weekend.
*) crypto - improve crypto speeds;
🤔
Hi,

Of course, now a l009uigs-rm has the H flag in the SAs.
/ip/ipsec/installed-sa/print
Regards,
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 5:22 am

hi Gurus what is this?? i have never had this before until i upgraded to this beta 7.17
Possible SYN FLOODING on ports?
shouold i be worried or is it normal
Did my internet just try and refresh a ip from my ISP? dont no what it is
Screenshot 2024-09-29 121923.png
You do not have the required permissions to view the files attached to this post.
 
victorbayas
just joined
Posts: 16
Joined: Wed Aug 07, 2024 1:56 pm

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 6:16 am

Would be great if MikroTik had rDNS for DHCP clients, I miss being able to identify the clients making requests to my Adguard Home server.
 
User avatar
kiler129
Member
Member
Posts: 354
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 7:28 am

Wow! This is an another great release, congratulations to the whole team!

---
*) bth - improved stability on system time change;
Is there any info on cases when this can cause crashes? We observed some hangs and it appears to be related to time changes, but since they're very infrequent it's hard to debug.
Overall, it would be amazing if changelogs could contain or link to some information about what "improved stability of X" actually means. Naturally I'm not asking for a full writeup, as this would be horrendously time consuming, but a single sentence of approximately what scenarios this can apply to.

*) dhcpv6-client - added prefix-address-list parameter
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings
Is this maybe a preparation to support prefix mask, similarly to how ip6tables allows it, or am I reading too far? ;)

*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding
Is there any device support matrix, or any device with hardware ACLs can utilize that? Is it possible to copy-and-forward instead of just forwarding to CPU?

---
Possible SYN FLOODING on ports?
shouold i be worried or is it normal
@Coughy: Welcome to the open Internet - if you're not hosting anything on these ports just DROP on WAN. If you are, just ignore it and accept automatic scanners are normal nowadays.
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 11:57 am

cheers m8 yer i added these ports just never seen them before
cheers
Wow! This is an another great release, congratulations to the whole team!

---
*) bth - improved stability on system time change;
Is there any info on cases when this can cause crashes? We observed some hangs and it appears to be related to time changes, but since they're very infrequent it's hard to debug.
Overall, it would be amazing if changelogs could contain or link to some information about what "improved stability of X" actually means. Naturally I'm not asking for a full writeup, as this would be horrendously time consuming, but a single sentence of approximately what scenarios this can apply to.

*) dhcpv6-client - added prefix-address-list parameter
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings
Is this maybe a preparation to support prefix mask, similarly to how ip6tables allows it, or am I reading too far? ;)

*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding
Is there any device support matrix, or any device with hardware ACLs can utilize that? Is it possible to copy-and-forward instead of just forwarding to CPU?

---
Possible SYN FLOODING on ports?
shouold i be worried or is it normal
@Coughy: Welcome to the open Internet - if you're not hosting anything on these ports just DROP on WAN. If you are, just ignore it and accept automatic scanners are normal nowadays.
 
kalamaja
Member Candidate
Member Candidate
Posts: 114
Joined: Wed May 23, 2018 3:13 pm

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 12:44 pm

Thanks, I see Apple devices with latest macOS/iOS are able to connect to 2.4GHz again on hAP AX3.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 2:28 pm

Would be great if MikroTik had rDNS for DHCP clients, I miss being able to identify the clients making requests to my Adguard Home server.
You can add a script that will be run when the DHCP server issues a lease, and in that script you can add a static DNS entry.
Some people have done that and published their script (of course they not all are great programmers...).
 
sharkys
newbie
Posts: 27
Joined: Sun Jun 22, 2014 2:01 am

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 3:32 pm

Anyone got problems with DHCP on this version ? Seems that addressed are not getting assigned, had to revert back to 7.16
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 6:03 pm

Strange, but I got this error on devices inside the local network (wireless access points and switches):

possible SYN flooding on tcp port 8291
 
flynno
Member
Member
Posts: 319
Joined: Wed Aug 27, 2014 8:11 pm

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 6:11 pm

Strange, but I got this error on devices inside the local network (wireless access points and switches):

possible SYN flooding on tcp port 8291
Setup up a firewall rule to log addresses trying to reach these ports
 
loxmaty
just joined
Posts: 9
Joined: Wed Mar 29, 2023 8:49 am

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 8:17 pm

7.17beta2 does not solve the problem of disconnecting wifi on AX devices. I am very disappointed, I really wanted to buy a Mikrotik router, because it provides great flexibility of settings, but now I see that Mikrotik engineers can not cope even with basic tasks. Why should I, like an idiot, go through the firmware in the hope that they fixed the banal problem of disconnecting wifi on AX devices, which everyone has known about for a long time.Again, this was broken after 7.15beta8. Everything that was there before works fine. It's been more than half a year...If you can not solve it yourself, roll back the Qualcom driver. I am very disappointed. I use more than 400 Mikrotik devices in my work as a system administrator, and I always recommended them to my clients, but apparently this has come to an end.
You do not have the required permissions to view the files attached to this post.
 
BillyVan
newbie
Posts: 41
Joined: Tue Sep 04, 2018 10:29 pm
Location: Greece

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 8:24 pm

Something strange happens with wireguard.
Only 2 of 5 wireguard peer connections connects.
Copy paste keys from scratch but no connection at all
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 8:31 pm

7.17beta2 does not solve the problem of disconnecting wifi on AX devices. I am very disappointed, I really wanted to buy a Mikrotik router, because it provides great flexibility of settings, but now I see that Mikrotik engineers can not cope even with basic tasks. Why should I, like an idiot, go through the firmware in the hope that they fixed the banal problem of disconnecting wifi on AX devices, which everyone has known about for a long time.Again, this was broken after 7.15beta8. Everything that was there before works fine. It's been more than half a year...If you can not solve it yourself, roll back the Qualcom driver. I am very disappointed. I use more than 400 Mikrotik devices in my work as a system administrator, and I always recommended them to my clients, but apparently this has come to an end.
I had same problems as you, disabling WPA3 solved the problem. WiFi is now really rock solid. I hope Mikrotik solve this in the future.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Sun Sep 29, 2024 8:32 pm

Anyone got problems with DHCP on this version ? Seems that addressed are not getting assigned, had to revert back to 7.16
What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.

I have few devices on 7.17beta and i experience no problems with dhcp server.
 
User avatar
npeca75
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 03, 2017 3:12 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 1:19 am

*) wifi - added multi-passphrase (PPSK) support (CLI only);
any documentation ? example ?
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 2:36 am

Would be great if MikroTik had rDNS for DHCP clients, I miss being able to identify the clients making requests to my Adguard Home server.
I Guess it can be done with scripting on DHCP leases.
 
teleport
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 07, 2020 11:51 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 8:11 am

Something strange happens with wireguard.
Only 2 of 5 wireguard peer connections connects.
Copy paste keys from scratch but no connection at all
have seen that happen especially when wan dhcp renews and my wireguard connections freak out and some will not connect again. no amount of disable/enable of peer/interface works. your best option is delete interface and recreate it. i have a script now to recreate all my wireguard connections.
 
whatever
Member
Member
Posts: 365
Joined: Thu Jun 21, 2018 9:29 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 8:42 am

*) wifi - added multi-passphrase (PPSK) support (CLI only);
any documentation ? example ?
https://help.mikrotik.com/docs/display/ ... Properties
Scroll down / search for "multi-passphrase".
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 9:43 am

ok so fun fact i dropped to wan these ports
guess what i cant log into the router via winbox with the ip address??
i can only log in via the mac id
so it is winbox trying to open /connect to ports in the router
i disabled the ports i was dropping to wan and i can now log in to the router again with the ip from winbox

EDIT PORT 8291 is the one dropping for winbox deleted it now i can login via ip from winbox
Strange, but I got this error on devices inside the local network (wireless access points and switches):

possible SYN flooding on tcp port 8291
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 9:57 am

multi-passphrase is not supported for the WPA3-PSK authentication type.


*) wifi - added multi-passphrase (PPSK) support (CLI only);
any documentation ? example ?
https://help.mikrotik.com/docs/display/ ... Properties
Scroll down / search for "multi-passphrase".
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 10:57 am

Hmm, looks like the SFTP client is broken... The backup script on my lab device failed. All other devices running 7.16 did succeed, so I am sure the server is ok.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 11:55 am

Not again something with the special character replacement in filenames?
 
flynno
Member
Member
Posts: 319
Joined: Wed Aug 27, 2014 8:11 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 11:59 am

ok so fun fact i dropped to wan these ports
guess what i cant log into the router via winbox with the ip address??
i can only log in via the mac id
so it is winbox trying to open /connect to ports in the router
i disabled the ports i was dropping to wan and i can now log in to the router again with the ip from winbox

EDIT PORT 8291 is the one dropping for winbox deleted it now i can login via ip from winbox
Strange, but I got this error on devices inside the local network (wireless access points and switches):

possible SYN flooding on tcp port 8291
Set an address list call it "support" add IP range you wish to be able to access the router from then add rule
/ip firewall address-list
add address=X.X.X.X/X list=support

/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp src-address-list=support

Or you could use port knock

/ip firewall filter
add action=add-src-to-address-list address-list=port:1778 \
address-list-timeout=15s chain=input dst-port=6789 protocol=tcp
add action=add-src-to-address-list address-list=support address-list-timeout=\
5m chain=input dst-port=1778 protocol=udp src-address-list=port:6789
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp src-address-list=support
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 12:07 pm

What's new in 7.17beta2 (2024-Sep-27 10:07):
*) pppoe - added support for PPPoE server over 802.1Q VLANs;
Vlan Demux Interface - auto decapsule vlans

Will we see the equivalent to that on IPoE(DHCPv4, DHCPv6)?
I'm willing to bet we won't! Or at least not until RouterOSv8.

I feel like they solved the right problem in the wrong way...
They used eXtreme Go Horse methodology, reducing the scope to just what was badly described in issue of the sprint.
They forgot that the same methodology of Vlan-Demuxing(single or double tag) would apply to PPPoE, but also with IPoE and L2TP.

MVP is my ass!
Last edited by fischerdouglas on Mon Sep 30, 2024 12:25 pm, edited 1 time in total.
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 12:18 pm

cheers My GURU
did the address list version see if i did it correctly and if it works for me lol
so far it is give it a couple days to test more
but ty for the help thats above my pay grade
i have created a drop to wan like this
add action=drop chain=input comment="Blocked ports" protocol=tcp Dst-Port 8728,53,2828
Is this the way to do it?
cheeers pete
ok so fun fact i dropped to wan these ports
guess what i cant log into the router via winbox with the ip address??
i can only log in via the mac id
so it is winbox trying to open /connect to ports in the router
i disabled the ports i was dropping to wan and i can now log in to the router again with the ip from winbox

EDIT PORT 8291 is the one dropping for winbox deleted it now i can login via ip from winbox

Set an address list call it "support" add IP range you wish to be able to access the router from then add rule
/ip firewall address-list
add address=X.X.X.X/X list=support

/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp src-address-list=support

Or you could use port knock

/ip firewall filter
add action=add-src-to-address-list address-list=port:1778 \
address-list-timeout=15s chain=input dst-port=6789 protocol=tcp
add action=add-src-to-address-list address-list=support address-list-timeout=\
5m chain=input dst-port=1778 protocol=udp src-address-list=port:6789
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp src-address-list=support
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 12:21 pm

I feel like they solved the right problem the wrong way...

PPPoE is a special case as it's not IP on the physical interface side ... so they can easily add VLAN ID handling to pppoe process. And tge feature is (currently) only available for PPPoE server, which may serve multiple VLANs and hence handling of VLAN internally really is handy (one server for nany VLANs instead of many servers one per VLAN).
With IPoE it's much harder ... because it's not DHCP client which handles all the traffic, DHCP client could only configure VLAN interface instead of you (but then who is going to remove it when it's not needed any more? Etc.). Not the way to go IMO. If setting of VLAN ID for internet service is so hard, then MT should add possibiliry to set it in QuickSet (or the "provisioning for dummies" app) ... if that's not a thing yet.
 
flynno
Member
Member
Posts: 319
Joined: Wed Aug 27, 2014 8:11 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 12:53 pm

cheers My GURU
did the address list version see if i did it correctly and if it works for me lol
so far it is give it a couple days to test more
but ty for the help thats above my pay grade
i have created a drop to wan like this
add action=drop chain=input comment="Blocked ports" protocol=tcp Dst-Port 8728,53,2828
Is this the way to do it?
cheeers pete


Set an address list call it "support" add IP range you wish to be able to access the router from then add rule
/ip firewall address-list
add address=X.X.X.X/X list=support

/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp src-address-list=support

Or you could use port knock

/ip firewall filter
add action=add-src-to-address-list address-list=port:1778 \
address-list-timeout=15s chain=input dst-port=6789 protocol=tcp
add action=add-src-to-address-list address-list=support address-list-timeout=\
5m chain=input dst-port=1778 protocol=udp src-address-list=port:6789
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp src-address-list=support
Very good, you could also put before the winbox accept rule below;

/ip firewall filter
add action=drop chain=input comment="Blocked ports" dst-port=8728,53,2828 protocol=tcp src-address-list=!support

This will block addresses trying to each listed port that is not in support list
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 1:15 pm

I feel like they solved the right problem the wrong way...

PPPoE is a special case as it's not IP on the physical interface side ... so they can easily add VLAN ID handling to pppoe process. And tge feature is (currently) only available for PPPoE server, which may serve multiple VLANs and hence handling of VLAN internally really is handy (one server for nany VLANs instead of many servers one per VLAN).
With IPoE it's much harder ... because it's not DHCP client which handles all the traffic, DHCP client could only configure VLAN interface instead of you (but then who is going to remove it when it's not needed any more? Etc.). Not the way to go IMO. If setting of VLAN ID for internet service is so hard, then MT should add possibiliry to set it in QuickSet (or the "provisioning for dummies" app) ... if that's not a thing yet.
Just like PPPoE is an ephemeral interface that exists while tunnel is active, a dynamic sub-if of a stacked vlan is an ephemeral interface that exist while exists traffic that specifies it.

This is pure control-plane.
- Trigger -> Any specified type of packet
- Action -> Create a sub-if, bind the specified service(PPPoE or DHCP) on it.
- Trigger -> Mac in sub-if = 0
- Action -> Remove sub-if.

If they had gone that way, that solution could be used to many contexts... Including PPPoE, DHCP, L2TP, 802.1X, VXLan, and etc...
But, as they put a band-aid on it, it will never be on the priority list again.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 1:24 pm

This is pure control-plane.
- Trigger -> Any specified type of packet
- Action -> Create a sub-if, bind the specified service(PPPoE or DHCP) on it.
- Trigger -> Mac in sub-if = 0
- Action -> Remove sub-if.
I have made several forum posts and support requests to MikroTik to open the box a bit...

Hooks that would allow some scripting, passing some variables.

This is exactly a case for that.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 1:49 pm

Just like PPPoE is an ephemeral interface that exists while tunnel is active, a dynamic sub-if of a stacked vlan is an ephemeral interface that exist while exists traffic that specifies it.
Sorry, I simply don't agree that having plethora of dynamic interfaces is a good thing ... just to work around a bit of (manual / scripted) configuration.

And: PPPoE is (kind of) ephemeral interface, tied to a tunnel ... which is either up or not and the transition between the two is pretty obvious (among others due to keep-alive mechanizms). You can't run PPPoE without running client (or server) so it's not even ephemeral in that sense (it can often be a very permanent interface).
DHCP client OTOH serves as an almost "stateless" client which simply pulls config from server ... so per-se it doesn't run any (ephimeral) tunnel or interface.
 
merkkg
just joined
Posts: 15
Joined: Thu Jan 19, 2017 11:50 am

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 1:54 pm

I have 1 issue so far after upgrading from 7.16 to 7.17 beta2 on LAB CCR2216

I have port showing as running/slave on interface list but on bridge its showing as Inactive.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 2:45 pm

Sorry, I simply don't agree that having plethora of dynamic interfaces is a good thing ... just to work around a bit of (manual / scripted) configuration.
Okay! You have the right to disagree!

But all other vendors with significant market share(Cisco, Huawei, Nokia, Juniper) have an approach to solving this!

The one I find most elegant is Juniper's.
https://www.juniper.net/documentation/u ... rface.html

And in this world "no-so-big players", I have lost in somewhere in my mind that even VyOS can do that kind of dynamic sub-interface.
And running Accell binaries directly yourself (not in VyOS or other appliance), I'm sure allows you to handle this through LUA scripts both in PPPoE and DHCP.

P.S.: Is valid to say that this is a solution to be used in a Carrier Grade scenario, not in an enterprise or soho environment.
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 9:28 pm

On the stats from 7.16 to 7.17beta2, there are +74 new commands and +803 new attributes (although the "group-by" gins up the numbers since that in a lot of places ;))


+1


There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
I totally agree :)
 
User avatar
spippan
Member
Member
Posts: 460
Joined: Wed Nov 12, 2014 1:00 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 9:53 pm

some solid work on bridge regarding mlag and VLANs (will have to rework some bridge setups xD )

thanks a lot for the impressive work you doing here! pace is on!! cheers guys
 
User avatar
maisondasilva
just joined
Posts: 1
Joined: Sun Apr 21, 2024 1:56 pm
Contact:

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 10:30 pm

7.17beta2 does not solve the problem of disconnecting wifi on AX devices. I am very disappointed, I really wanted to buy a Mikrotik router, because it provides great flexibility of settings, but now I see that Mikrotik engineers can not cope even with basic tasks. Why should I, like an idiot, go through the firmware in the hope that they fixed the banal problem of disconnecting wifi on AX devices, which everyone has known about for a long time.Again, this was broken after 7.15beta8. Everything that was there before works fine. It's been more than half a year...If you can not solve it yourself, roll back the Qualcom driver. I am very disappointed. I use more than 400 Mikrotik devices in my work as a system administrator, and I always recommended them to my clients, but apparently this has come to an end.
Open a ticket with a support file this should help resolve this!
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 10:35 pm

Guys, you can complain here about wifi issues. But more important is a support ticket. The forum topics are not read regularly by Mikrotik staff and even then it is just a comment inside a long topic of a tons of reported issues. Every official support ticket helps.
 
nizce
just joined
Posts: 23
Joined: Tue Sep 15, 2009 3:19 pm

Re: v7.17beta [testing] is released!

Mon Sep 30, 2024 11:24 pm

Just updated one of my CAPs (CAP AX) and it's completely gone.
I first updated my device which has capsman running(RB5009) before updating one of the CAPs.

It does not show up in capsman nor windows, and no signs of it in the logs on the RB5009.
I can however find it's MAC-address when running mac-scan on the port that it is connected to on the RB5009, but it doesn't show up if I scan the Mac addresses on the MGMT VLAN that it (should)use.
But can't ping the MAC nor use Mac-telnet to connect to it.

Any recommendation on how to proceed?


----EDIT-----
Managed to reach it by changing the port on the RB5009 to which the CAP is connected to 'admit all' frame types instead of only tagged.
After I managed to login to it I noticed that the CAP AX had it ETH1 disabled and also the default route. Enabled those and it seemed to start working again, but reverted back to 6.16 stable.
Will keep it that way for a couple of beta versions more I guess :)
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 6:32 am

Is there documentation for
*) wifi - added multi-passphrase (PPSK) support (CLI only);
?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 7:11 am


----EDIT-----
Managed to reach it by changing the port on the RB5009 to which the CAP is connected to 'admit all' frame types instead of only tagged.
After I managed to login to it I noticed that the CAP AX had it ETH1 disabled and also the default route. Enabled those and it seemed to start working again, but reverted back to 6.16 stable.
Will keep it that way for a couple of beta versions more I guess :)
That doesn't seem related to RouterOS version upgrade, it never changes essential configuration such as disabling ethernet interfaces.
I would suggest to double check your configuration - Do you have any scripts scheduled on reboot? was this state of configuration one of your previous configurations? are you sure there are nobody else with access to that device?
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 9:00 am

Is there documentation for
*) wifi - added multi-passphrase (PPSK) support (CLI only);
?
https://help.mikrotik.com/docs/display/ ... passphrase
 
sharkys
newbie
Posts: 27
Joined: Sun Jun 22, 2014 2:01 am

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 9:19 am

Anyone got problems with DHCP on this version ? Seems that addressed are not getting assigned, had to revert back to 7.16
What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.

I have few devices on 7.17beta and i experience no problems with dhcp server.
Found the issue, I had to change the interfaces for other relays (up/down) - when I had all set to bridge, it stopped working on 7.17 beta.
2024-10-01 08_15_39-Clipboard.png
I changed it as per relevant interfaces and works again fine.
Re logs, there were no erros just : "dhcp_main offering lease 10.0.0.XX for XX:XX:XX:XX:XX:XX without success"
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 10:34 am

ofca, I understand your concern, but if you do not have any kind of backup access to these devices, how are you recovering in case of some failed upgrade? An alternative to push-button is cold reboot (power cycle).

**I would like to stress, that device-mode settings are entirely optional. Do your CPEs require traffic generator? If no, there is no need for this operation. **
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 10:44 am

ofca, I understand your concern, but if you do not have any kind of backup access to these devices, how are you recovering in case of some failed upgrade? An alternative to push-button is cold reboot (power cycle).
In case of some failed upgrade, I use "partitions" to recover. But you are blocking that by making it part of device-mode settings.
**I would like to stress, that device-mode settings are entirely optional. Do your CPEs require traffic generator? If no, there is no need for this operation. **
They are NOT. As far as I understand, the new 7.17 release will disallow the use of partitions (and some other things) unless you have enabled their use in device-mode. Which you can only do in physical presence of the device.
If it is not like that, please explain.

For device-mode settings to be "entirely optional", there should be a way to remotely add new device-mode settings that are added to a new release as part of an upgrade procedure.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 3:26 pm

What's new in 7.17beta2 (2024-Sep-27 10:07):

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Would this be applied to all devices or only to devices which have their device-mode at default setting prior to update? It would be madness if it is applied to all devices - this would even enable some features disabled by user...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 4:54 pm

I sure hope there will be a clear explanation of what happens to existing devices that use those features, for all reasonable existing device-mode settings.
E.g. in my devices, the setting is "enterprise" and on some of them "container: yes".
After I upgrade to 7.17, will my partitions still be functional and will I be able to downgrade when desired?
Or do I need to set a device mode and thus physically visit the device and make a change within 5 minutes before I can press the button?
(even that is not easy at some locations)
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 5:53 pm

Device-mode is poorly documented for what it is meant for. Take the list of "List of available properties" for example. It is a list of abstract "terms" but lacking any details. What does the property "bootloader" restrict? Does it prevent routerboard firmware upgrade? Or does it prevent changing routerboard settings? Or what exactly? Neither is clear by the word "partitions". What does "partition" restrict exactly? I am not allowed to have any partitions? No additional partitions to root partition? Am I allowed to have USB disks when "partitions" property effective? I could continue with many more questions. I dont know why this is not documented better.

Be honest:
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled; 
A one-liner is all we get? I don't care that much, I am just a home user, but some professionals already commented her. How can one - managing hundreds of devices - take precautions? Not ending up by locking down devices and climb up to some poles somewhere in the wild?

PS:
My favorite quote from the docs:
Disabled list feature is self-explanatory
https://help.mikrotik.com/docs/display/ ... xplanatory
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 6:03 pm

I sure hope there will be a clear explanation of what happens to existing devices that use those features, for all reasonable existing device-mode settings.
On my test RB1100AHx4 with 7.17beta2, it showed partitioning menu (with device-mode showing "mode: advanced" and container=yes".

I have always thought @pe1chl/others scheme to use 2 partitions was a good one, but never set it up. i.e. if RouterOS works on 16MB flash, and you have 128MB NAND, why not have a backup version with older version to use the "extra space"? But my blocker was help.mikrotik.com does not exactly describe the process to do that, or much at all: https://help.mikrotik.com/docs/display/ROS/Partitions - I guess hiding it beyond device-mode avoid the need to cleanup the docs on it ;).

But given that device-mode should block this in 7.17beta2, I tried it anyway*. And 7.17 did let me change from 1 to "/partition/repartition 2", and asked to reboot. That got a bootloop with an error that it could not find an "system" showing up on serial port from RouterBOOT. Change the partitions back to 1 in RouterBOOT, and that fixed the bootloop (and all the files came back from NAND). But clearly "device-mode" didn't block anything, at least on RB1100 with whatever device-mode I had set.

Anyway...I actually like the device-mode concept - since we lost the ability to remove packages to pairing down the UI/attack surface. But.... I'm not sure it a good idea for an upgrade to change the mode. And do think device-mode should be able to at least be set via netinstall. Since operationally if you want to enable container on batch of units, to install a container during defconf... that cannot be automated.

* The RB1100 has serial port... so it's easier to be so cavalier. And I keep a LtAPmini with serial cables & does make quick work to get it out of a bootloop ;)
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 6:07 pm

What happens to devices, running ROS 7.16, upgrading to 7.17 with this setting:
/system/device-mode/update mode=enterprise traffic-gen=yes
Does it change to false? Or is it kept as is?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 6:16 pm

Normally, partitioning works like this: you set the number of partitions to 2, the device will reboot and now you see 2 partitions, one is your running system and the other one is empty.
Then you highlight part0 and choose "copy to" part1.
After that you have two partitions that are the same, and part0 is "active" and "running".
Now when you upgrade, after reboot you will see part0 is the new version and part1 still is the old version. You can right-click part1, select "make active" and reboot, now you are back in the old version and when you check partitions you will see part1 is "active" and "running".
Every time before you upgrade or do some drastic config rework, you first copy the running partition to the other one, and you always have a backup.

There is one other feature: when the router crashes during boot, or when you interrupt power during boot, it will auto-switch to the other partition.
So when you have locked yourself out or the upgrade has gone very badly, it will recover by booting the other part.
This also is a risk, because when the power is flaky it may select the other partition unintentionally!
To prevent big problems, copy the partition (or only the config, when routeros version is the same) somewhat regularly.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 6:29 pm

@pe1chl, I kinda figured that, since you can see those options in /partition – I just played dumb, and followed winbox... it wanted asked to reboot, so I just said yes & wanted to see what happen. And, I confirmed it was running the matching firmware before doing this too. But after reboot, I could not even get to winbox to do the "copy-to" step - since it got this bootloop:
Press any key within 2 seconds to enter setup..
writing settings to flash... OK

loading kernel partition 1... kernel not found or data is corrupted
writing settings to flash... OK

loading kernel partition 0... OK
setting up elf image... OK
jumping to kernel code
opendir: No such file or directory
opendir: No such file or directory
ERROR: no system package found!
[ 1.664332][ T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
[ 1.672676][ C2] CPU2: stopping
[ 1.676077][ C2] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.6.3 #2
[ 1.682592][ C2] Hardware name: Annapurna Labs Alpine
[ 1.687901][ C2] {bf099f34} _stext+0x9888/0x4fd230
[ 1.692944][ C2] {bf099f3c} _stext+0x4e902c/0x4fd230
[ 1.698161][ C2] {bf099f4c} _stext+0xbfd0/0x4fd230
[ 1.703204][ C2] {bf099f64} _stext+0x1fe26c/0x4fd230
[ 1.708420][ C2] {bf099f7c} _stext+0x1acc/0x4fd230
[ 1.713461][ C2] Exception stack(0xbf099f80 to 0xbf099fc8)
[ 1.719199][ C2] 9f80: 00000c0c 00000000 00000c0c 80114760 bf098000 00000004 80904eec 80904f28
[ 1.728054][ C2] 9fa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf099fd0 8010700c 80106ffc
[ 1.736908][ C2] 9fc0: 60000013 ffffffff
[ 1.741085][ C2] {bf099fcc} _stext+0x6ffc/0x4fd230
[ 1.746127][ C2] {bf099fd4} _stext+0x4c120/0x4fd230
[ 1.751256][ C2] {bf099fec} _stext+0x4c3b0/0x4fd230
[ 1.756384][ C2] {bf099ff4} 0x10246c
[ 1.760214][ C1] CPU1: stopping
[ 1.763616][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.3 #2
[ 1.770130][ C1] Hardware name: Annapurna Labs Alpine
[ 1.775435][ C1] {bf097f34} _stext+0x9888/0x4fd230
[ 1.780478][ C1] {bf097f3c} _stext+0x4e902c/0x4fd230
[ 1.785695][ C1] {bf097f4c} _stext+0xbfd0/0x4fd230
[ 1.790737][ C1] {bf097f64} _stext+0x1fe26c/0x4fd230
[ 1.795952][ C1] {bf097f7c} _stext+0x1acc/0x4fd230
[ 1.800994][ C1] Exception stack(0xbf097f80 to 0xbf097fc8)
[ 1.806732][ C1] 7f80: 00001038 00000000 00001038 80114760 bf096000 00000002 80904eec 80904f28
[ 1.815587][ C1] 7fa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf097fd0 8010700c 80106ffc
[ 1.824440][ C1] 7fc0: 60000013 ffffffff
[ 1.828617][ C1] {bf097fcc} _stext+0x6ffc/0x4fd230
[ 1.833658][ C1] {bf097fd4} _stext+0x4c120/0x4fd230
[ 1.838786][ C1] {bf097fec} _stext+0x4c3b0/0x4fd230
[ 1.843915][ C1] {bf097ff4} 0x10246c
[ 1.847744][ C3] CPU3: stopping
[ 1.851145][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.6.3 #2
[ 1.857660][ C3] Hardware name: Annapurna Labs Alpine
[ 1.862964][ C3] {bf09bf34} _stext+0x9888/0x4fd230
[ 1.868008][ C3] {bf09bf3c} _stext+0x4e902c/0x4fd230
[ 1.873222][ C3] {bf09bf4c} _stext+0xbfd0/0x4fd230
[ 1.878265][ C3] {bf09bf64} _stext+0x1fe26c/0x4fd230
[ 1.883480][ C3] {bf09bf7c} _stext+0x1acc/0x4fd230
[ 1.888521][ C3] Exception stack(0xbf09bf80 to 0xbf09bfc8)
[ 1.894258][ C3] bf80: 00000b80 00000000 00000b80 80114760 bf09a000 00000008 80904eec 80904f28
[ 1.903114][ C3] bfa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf09bfd0 8010700c 80106ffc
[ 1.911967][ C3] bfc0: 60000013 ffffffff
[ 1.916144][ C3] {bf09bfcc} _stext+0x6ffc/0x4fd230
[ 1.921186][ C3] {bf09bfd4} _stext+0x4c120/0x4fd230
[ 1.926314][ C3] {bf09bfec} _stext+0x4c3b0/0x4fd230
[ 1.931442][ C3] {bf09bff4} 0x10246c
[ 1.935283][ T1] Rebooting in 5 seconds..
:00000050
AL31400X-140
I also tried to set partition 2 as active, in case that's where it put (or maybe, I thought, it made TWO copies when you change the partition count). Same bootloop.

But none of this matches the release note here, since I should not have been able to even see partitions - at least in my reading of the !) note.

/system/device-mode/update mode=enterprise traffic-gen=yes
I'll add that /system/device-mode print should have a "detail" option that shows all the =yes / =no as resolved by the mode and other switches. AFAIK it takes consulting the docs to see what mode= means – with the meaning of mode= change between version.
 
User avatar
sirbryan
Member
Member
Posts: 392
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 7:21 pm

I use and enable partitions remotely ***all the time*** (on anything with large enough flash, particularly RB4011/5009/CCR's). And sometimes I forget to set all the things while I have physical access to it (i.e. on the bench/in the lab) before I deploy the router in the field.

Blocking the ability to change partition settings on already-deployed devices (without some kind of non-physical-access upgrade workaround) would be a huge hinderance, since many of my routers are in hard-to-reach locations. It's not easy/practical to change a setting, then have to drive + climb within 2-5 minutes and hit a button.

I agree that this change (and its ramifications) needs to be spelled out better in documentation somewhere instead of a terse, vague one-liner in release notes.
 
ofca
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Aug 20, 2004 7:18 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 7:38 pm

ofca, I understand your concern, but if you do not have any kind of backup access to these devices, how are you recovering in case of some failed upgrade? An alternative to push-button is cold reboot (power cycle).

**I would like to stress, that device-mode settings are entirely optional. Do your CPEs require traffic generator? If no, there is no need for this operation. **
We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs. We also have hundreds of CCRs. You are effectively taking features away from us, unless we allocate manpower to drive around the city and needlessly waste time pushing buttons, instead of making money to buy more MikroTik devices. Please figure out a better way that isn't a regression. It's not a question of backup access. It's a question of scale. We are not talking about two routers here.
# select count(id) from devman.devices where devtype='managed-mt';
 count 
-------
  7271
```
Do you want to drive around to all of them and push the button? I didn't think so. We already had to waste time to use containers on few occasions - now the scale will be even higher to just keep features that we currently have in case we'll need to use them one day.

I'm all for security and locking down the devices. What I definitely don't like is me being locked out from my own devices. Please figure out a better way. I'd also like this better way to include possibility of enabling containers remotely. I've sent you an idea for consideration under SUP-166837. Thanks.
 
ofca
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Aug 20, 2004 7:18 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 7:53 pm

I agree that this change (and its ramifications) needs to be spelled out better
Actually, this change needs to not happen at all, in my opinion. I'm really glad, that MikroTik guys changed the dev model, and now we have long-running betas, so we can help avoiding such disastrous design choices.

Our field technicians don't ever login to devices; it's all centrally auto-provisioned with high-level staff remotely accessing the devices if and when needed - devices they've never seen with their own eyes. Recent idea of custom default passwords already requires manual waste of time when deploying new devices. Now there will be even more waste of time to do some coordinated button-pushing -- and that's only talking about new devices; what about thousands of existing devices that will need to be visited for a button push?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 7:58 pm

I fully agree! I think that when an existing feature requires a new device-mode setting after an upgrade, the corresponding device-mode should be automatically set as part of the upgrade.
Only on new devices or after reset-to-defaults, a new device-mode regime should become active by default.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 8:03 pm

So it seems that when you try to setup partitions while not having that device-mode option set, it just corrupts the device?
That is even worse than being unable to switch partitions after upgrade...
That be my take. I only went down the rabbit hole since the RB1100 had a physical serial port. Clearly it shouldn't end up in a bootloop.

Normally if something is blocked by device-mode, it does not show up in UI/CLI - so there that initial problem here IMO.
 
sinisa
newbie
Posts: 34
Joined: Sun Apr 17, 2011 12:46 am

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 8:51 pm

Why there is no device-mode called "this-is-my-router-and-I-want-everything-to-be-enabled-always-and-forever"?
 
guipoletto
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Sep 19, 2011 5:31 am

Re: v7.17beta [testing] is released!

Tue Oct 01, 2024 11:57 pm

Why there is no device-mode called "this-is-my-router-and-I-want-everything-to-be-enabled-always-and-forever"?
The knee-jerk reaction of most SoHo, and supermarket IT people would be to set this, defeating it's purpose

That said, there must be a better way than forcing a truck-roll for people managing thousands of devices, especially when involving partitions/downgrade
those are recovery features by their very nature, and messing with them has a wide range of ramifications
 
guipoletto
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Sep 19, 2011 5:31 am

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 12:05 am

We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs.
Very off-topic, but can you share why would you need to hit those PSU's with traffic-gen?
Emulating some kind of magic-packet maybe?

Also, i can definitelly see why they hid traffic-gen behind a config-wall, as it's essenially a wirespeed DDOS generator, and should not be trusted to the average home user
 
teslasystems
just joined
Posts: 21
Joined: Sun Aug 09, 2015 3:00 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:15 am

I have installed this new beta to check some fixes, but after downgrading back to 7.16 I started to receive an error in the log each 5 seconds. I don't remember exact error text, but it was something like "the router can't save changes because of problem in file system". And it was impossible to reboot. Only netinstall helped.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 9:02 am

Documentation of device-mode has been updated with more info. If anyone has any doubts or questions, please post them here and we will answer them in the documentation
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 10:58 am

Thanks for adding the "feature clarification table". 👍
 
ofca
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Aug 20, 2004 7:18 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 10:59 am

We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs.
Very off-topic, but can you share why would you need to hit those PSU's with traffic-gen?
Emulating some kind of magic-packet maybe?
Yes, this exactly. We are using traffic gen to detect presence and current config of a device, to avoid bridging and using proprietary windows app.
 
ofca
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Aug 20, 2004 7:18 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:13 am

Coordinated button press is not the only option. Power cycle / remove power from device is an alternative.

Deploy your devices from now on with some remote-controlled powerplug and you're good to go. future proof kind of....

....what if these remote-controlled powerplugs are online and somehow easily accessible (backdoor, unsecured, auth bypass, etc.) by "evil people" as well? Ransomware gangs triggering power plugs to unlock ROS device mode....🤯🤯🤯

😂😂😂
Yeah, sure; we've also started in a garage; luckily, today we are way past that. If device requires any power-cycling to keep working, it's replaced as failed. If it's "normal behavior", then it's decommissioned and vendor is banned. I sincerely hope you were just making a joke about adding point of failures to "always on" setups. MikroTik devices are quite robust and, with exception of first batch(es) of CRS317 switches, I don't remember any cases that would consistently require power interventions ;)
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:20 am

I don't know what you understood. In simple words: any change you make to device-mode settings can be either commited/confirmed by pusing reset-button or a cold reboot. Cold reboot stands for "take away power and restore power", "unplug power cable, re-attach power cable", or any other action that takes away energy from the device. I hope this is clear now. My - rather a sarkastic comment - had nothing to do with "stability", "reliability", or with "failures" or any regular behaviours of devices.

https://help.mikrotik.com/docs/display/ ... he%20power.
The device-mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power.
I hope this is clear now.
Last edited by infabo on Wed Oct 02, 2024 11:22 am, edited 2 times in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:40 am

I do understand why Mikrotik wants to lock down some device functionality, it makes perfect sense in regards of security.

On the other side I think the current situation (7.17beta2) with device-mode is not acceptable either. (I think I was the first to complain in this thread.) Visiting thousands of devices physically is just a huge issue.

So how about adding a kind of "grace period" for post-7.16 updates? The newly introduced device modes could be activated without physical interaction for a period of something like 24 hours after that update. If no action is taken in that time the modes become locked, just as they are now. Does that help most of us?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:44 am

I don't know what you understood. In simple words: any change you make to device-mode settings can be either commited/confirmed by pusing reset-button or a cold reboot.
Well, I should mention that I was quite surprised the first time when I confirmed a device mode change with pressing the reset button that the device actually cold booted...
I assumed that the reset button was just a soft input button, not hardwired to CPU reset, because you can also configure a script that will be run after pressing it for a short time. And of course there is all those different operations when pressing it for shorter or longer time during powerup.
So when I changed device-mode and pressed reset to confirm, I expected that it would print "OK! you have pressed reset!" and make the change, not to do a cold boot.
When a reboot would be required, I would have expected a warm boot (like /system reboot from commandline)...
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:55 am

The message shown on CLI is quite clear and does not leave room for interpretations:
update: please activate by turning power off or pressing reset or mode button in 4m27s
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:57 am

So how about adding a kind of "grace period" for post-7.16 updates? The newly introduced device modes could be activated without physical interaction for a period of something like 24 hours after that update. If no action is taken in that time the modes become locked, just as they are now. Does that help most of us?
That would be one solution.
Another one would be to auto-set all "newly added device-mode properties" to "yes" whenever RouterOS is upgraded.
One can argue "then it would not be very effective for its original purpose", but we already have the situation where all existing devices are in enterprise/advanced mode and will not (I HOPE NOT!) switch to the new default device mode for 7.17 on that device.
(when I read the help page I conclude that all devices now running 7.16 will be in "advanced" mode after upgrade to 7.17)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 11:59 am

The message shown on CLI is quite clear and does not leave room for interpretations:
update: please activate by turning power off or pressing reset or mode button in 4m27s
Maybe for you? For me that is not clear. When I press reset or mode button, it will activate the setting. But will it also reboot???
It does not tell that.
Maybe it even depends: pressing reset will reboot it, pressing mode button will not. Who knows?
(I was not able to test that because the devices I tested it on have no mode button)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 12:00 pm

We have added to the manual some more info about device mode, including that it will reboot in any case.
The console message will also be amended in future betas.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 12:01 pm

Well, I should mention that I was quite surprised the first time when I confirmed a device mode change with pressing the reset button that the device actually cold booted...

Device mode gets set into routerboot (could be it's even baked into permanent storage just like the rest of routerboot contents) and I'd guess that as with every other change in routerboot, device has to be reset.

As to hard/soft reset ... it's hard to self-inflict hard reset on RB devices since they don't have necessary (power management) hardware. So it was probably a (normal?) reboot.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 12:02 pm

Maybe for you? For me that is not clear. When I press reset or mode button, it will activate the setting. But will it also reboot???
It does not tell that.
Point taken. I don't know either what happens on button press. That's a bad thing I have to admit. Last time I changed device-mode was to enable "container" flag - but pressing the reset-button did not confirm it. Don't know why it did not work. So I had to do the other thing: "turning power off".
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 12:46 pm

Pressing the button will initiate a reboot when device-mode command is issued before this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:13 pm

Well, that whole "it will reboot to change the setting" makes the whole thing even worse than it already is.
Not only is it required to physically go to each router, and to connect to the CLI and issue the command and press the button, but also it will cause an interruption in the network at that time.
It is usually even more difficult to get physical access in a maintenance service window than it already is in the first place.
Even when a reboot is required to activate the new settings, it could be noted and the reboot could be done later.
(just as when you upgrade routerboot, for example)
And we cannot even prepare the new device-settings ahead of time, because 7.16 does not allow to set the new properties yet.
The fact that it is a "cold reboot" is also bad, e.g. we have "add ARP for dhcp leases" and "arp mode reply-only" on all the networks, and a cold reboot leaves some clients in a confused state because new leases have not yet been written to storage and after boot will have no ARP entry. At least do a warm reboot!
 
dksoft
Member Candidate
Member Candidate
Posts: 152
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:35 pm

Documentation of device-mode has been updated with more info. If anyone has any doubts or questions, please post them here and we will answer them in the documentation
I want to prepare a site of which I don’t have physical access to in the next months.

What is the best command to be ready and have all features enabled?
 
Joe1vm
newbie
Posts: 28
Joined: Sat Apr 06, 2013 4:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:37 pm

Please, what will happen to the running containers after the update to 7.17?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:44 pm

Nothing should happen, on my ax3 everything is working. Do you have an issue ?
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:57 pm

nothing it works fine nothing to do with containers unless you have different partitions for them but most run on usb??
Please, what will happen to the running containers after the update to 7.17?
Last edited by Coughy on Wed Oct 02, 2024 2:26 pm, edited 1 time in total.
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 1:59 pm

in your log do you get HapAx3_5Ghz detect LAN if you have that active??
seem to show up every 3 hrs or so only the HapAx3_5Ghz detect LAN no other interface does it
Nothing should happen, on my ax3 everything is working. Do you have an issue ?
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 03, 2015 12:03 am

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:10 pm

We have added to the manual some more info about device mode, including that it will reboot in any case.
The console message will also be amended in future betas.
But it's still not clear what I need to do to make sure I can still use all features (including traffic-gen, container, partitions, bootloader and downgrade) on our 2000+ devices in the field without having to physically visit each one of them and do a powercycle.

Also, the documentation is still confusing. It first mentions (under 'Available device-mode modes') that traffic-gen, container, partitions, bootloader, downgrade are disabled for 'advanced mode'. But then under 'List of available properties' it says "Default: yes, for advanced mode" describing properties that also include traffic-gen, container, partitions, bootloader and downgrade?
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:16 pm

No, we do not plan to implement annual licensing or any other licensing changes.

Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.

EVEN THOUGH we have no known security issues in RouterOS AND we have added default passwords out of the box, improved security will ensure the devices stay secure for a long time. Home user does not need traffic generator.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:17 pm

Nothing should happen, on my ax3 everything is working. Do you have an issue ?
It's not ok on my RB5009.
None of my containers start (iperf, openspeedtest, pi-hole) and yesterday I noticed a couple of drops during Teams calls (never saw that happening before).
Will troubleshoot later this evening.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:18 pm

We have added to the manual some more info about device mode, including that it will reboot in any case.
The console message will also be amended in future betas.
But it's still not clear what I need to do to make sure I can still use all features (including traffic-gen, container, partitions, bootloader and downgrade) on our 2000+ devices in the field without having to physically visit each one of them and do a powercycle.

Also, the documentation is still confusing. It first mentions (under 'Available device-mode modes') that traffic-gen, container, partitions, bootloader, downgrade are disabled for 'advanced mode'. But then under 'List of available properties' it says "Default: yes, for advanced mode" describing properties that also include traffic-gen, container, partitions, bootloader and downgrade?
Home and Advanced mode are like presets, that allow certain list of features. Groups of features, that are listed next to them in the manual.
BUT there is no mode that allows ALL features, if you have Advanced and also need some additional features, you have to enable them one by one. I suggest reading the entire documentation page, it clarifies this further in the text.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:26 pm

Containers ALWAYS had device-mode requirement, since day one. Maybe you forgot you set it. So nothing changes if you had a running container.
 
Joe1vm
newbie
Posts: 28
Joined: Sat Apr 06, 2013 4:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:38 pm

Thank's to all for the confirmation regarding containers....
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:46 pm

I have posted further updates to the manual, so all your Device mode questions should be answered in there .
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:47 pm

If your containers stopped working after upgrade to 7.17, it might not be related to device mode at all.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:49 pm

This still looke like a mess...

There are several EOL products which do not "confirm" mode changes with a reset button press. These routers can confirm mode change only with a power cycle.

Which devices? Will there be a list?

Second question which I still find hard time to get answer to - will all device-mode related changes from changelog get initiated to all devices which have features (to be disabled as per changelog) already in use i.e. if non-default settings are already applied to device-mode settings? If yes then it is an obvious departure from "not-to-mess-with-applied-configuration" philosophy.
What settings should be next to be expected to be steamrolled over?

P. S. We now have 3 Device-mode presets and no clear defiition of which devices default to which one.

This "one-liner" is not enough -> Advanced (previously called enterprise) mode is assigned to CCR and 1100 series devices, home mode is assigned to home routers and basic mode to any other type of device
Last edited by nmt1900 on Wed Oct 02, 2024 2:56 pm, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:54 pm

Were do I need to look then ?
Any hints in log?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 2:59 pm

If your containers stopped working after upgrade to 7.17, it might not be related to device mode at all.
I never said it was related to device mode.
However it is related to ROS 7.17beta... and that's what this thread is about, no ?

I will troubleshoot this evening.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 3:03 pm

Sorry about that, my mistake, this whole thread has turned into "questions about device mode"
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 3:05 pm

Were do I need to look then ?
Any hints in log?
Missing exec. Only thing which shows in log after start and then immediately stop.
At first sight (quickly logged in via wireguard during lunch break) disk is mounted correctly (it did cause problems in the past with some USB3 drives on Rb5009 but it seems it gets recognized ok now each time after reboot), folders are still there from what I can see. Mounts are present as expected.
On itself not a real issue since those containers are pretty easy to setup again from scratch but I am simply wondering why it broke all of a sudden.
 
OlofL
Member Candidate
Member Candidate
Posts: 114
Joined: Mon Oct 12, 2015 2:37 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 3:39 pm

*) dns - added option to create named DNS servers that can be used as forward-to servers

Does this mean forwarder-to can try to forward to multiple servers?
Does it mean if first server doesnt respond (because its down), it will retry next forwarder before giving answer back to client?
Like this guy is talking about: viewtopic.php?p=983021#p983021

Or does this change simply mean that the named forwarder you define will automatically resolve behind the scenes, so that you dont have add one or multiple static A records for the forwarders?
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 03, 2015 12:03 am

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 3:42 pm

Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.
Undoubtably a noble persuit. I'm not a home user, so I shouldn't be affected by these changes.
Home and Advanced mode are like presets, that allow certain list of features. Groups of features, that are listed next to them in the manual.
BUT there is no mode that allows ALL features, if you have Advanced and also need some additional features, you have to enable them one by one. I suggest reading the entire documentation page, it clarifies this further in the text.
I've read the documentation multiple times, but it seems to describe some mythical state where everyone is already using hardware shipped with v7.17 and pre-"device-mode" times didn't exist. I'm asking this for the third time now: how can I make sure I do not lose any features on our devices in the field when I upgrade them to v7.17? The only thing in the docs regarding <v7.17 mentions devices running older versions will have the 'advanced' mode by default. It doesn't say whether features such as partitioning or downgrade will be enabled or disabled for these devices. If they are disabled, you're not only directly contradicting yourself (I thought it was 'entirely optional' and 'to protect the home users'?), you're also arbitrarily taking away people's device functionality in an attempt to embellish your security posture (which is frankly unacceptable).
 
OlofL
Member Candidate
Member Candidate
Posts: 114
Joined: Mon Oct 12, 2015 2:37 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 4:18 pm

So im trying to setup routeros as a DNS-forwading server.
I want to use upstream DNS to a DOH server.
But I still need to resolve some local zones, that live on two separate internal dns-servers.

From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering.
/ip dns static
add forward-to=10.6.10.220 match-subdomain=yes name=my.internal.lan type=FWD
add forward-to=10.6.10.221 match-subdomain=yes name=my.internal.lan type=FWD
From 7.17
Whats the point of the /ip/dns/forwarders here? I can still only define one dns-server, and only by ip.
/ip dns forwarders
add dns-server=10.6.10.220 name=my.internal.lan
### and then try to add another forwarder for internal lan.
add dns-server=10.6.10.221 name=my.internal.lan
failure: name not unique
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:07 pm

DEVICE MODE: all configuration you had running before changing device mode limitations will remain working. Only new config will be denied, if this particular mode setting denies it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:25 pm

From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering.

The basic premise in whole DNS system is that if there are more than one DNS server available (configured), it is assumed that all of them would give the same answer. And answer "no such domain" is answer (albeit negative). DNS client may use available server in round-robin manner, but most use single server until it stops replying altogether.

So which kind of behaviour is that you observe from 19.6.10.220 ?
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:31 pm

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled; 
How I understand this, in other words: after upgrade to 7.17 you won't be able to use traffic-gen, not able to change active partition (/partitions/activate), not able to make changes to /system/routerboard/settings and you won't be able to use /system/package/downgrade. The rest remains unchanged. All previously enabled flags/properties stay as-is/untouched. So if you had "container=yes", it remains. Probably if you had "traffic-gen=yes" it remains allowed as well. "partitions, bootloader, downgrade" are new in 7.17, so you are not able to allow them in <= 7.16. To allow bootloader, partitions and downgrade again, you need to use /system/device-mode/update and confirm by either button push or power off.

Is this correct?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:35 pm

Yes ^
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:38 pm

Infabo: One more trick, if you have upgraded an inaccessible device and URGENTLY need to downgrade, because beta has broken something for you, you can change upgrade channel and "upgrade" down to a stable version. This will only work until the other channels have older versions before device mode changes, afterwards this hack will become useless.

pe1chl: nothing will break, look at post by Infabo
 
User avatar
sirbryan
Member
Member
Posts: 392
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 5:54 pm

The documentation says:
[D]evices running versions prior to RouterOS version 7.17, all devices use the advanced/enterprise mode
and:
(Disabled features in advanced mode) traffic-gen, container, partitions, bootloader
and, as mentioned in another post:
container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader
. (yes | no; Default: yes, for advanced mode)
Despite MikroTik's own documentation, container has never been "default=yes", some options don't exist prior to 7.17, and the table above this section lists a bunch of stuff that is "no" by default. A bit of cleanup is needed.

As I was typing this, some clarification came in:
How I understand this, in other words: after upgrade to 7.17 you won't be able to use traffic-gen, not able to change active partition (/partitions/activate), not able to make changes to /system/routerboard/settings and you won't be able to use /system/package/downgrade.

"Yes"
This either needs to be reconsidered, or an upgrade MOP (method of procedure) needs to be added to the upgrade from <7.17 to 7.17 to keep users from losing access to previously available features. I use routerboard/settings and partitions after deployment all the time.

I also use partitions for backup/recovery. Disabling the ability to change active partitions after an update is definitely not acceptable. (One of my 2116's is on a mountaintop four hours away, and not accessible in the winter without snowmobiles, four-wheelers with tracks, or a helicopter.)
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1049
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:03 pm

My take on the whole "device-mode" situation:

1) Old configurations should (looks like they are) honored by the upgrade.
2) We don't know what happens with new setting available on upgrade (partitions is an example). I think new settings should be allowed to work - because they were allowed before, and the upgrade should honor old configs.
3) There is a valid concern about mass provisioning this thing, since it requires physical intervention. Bellow I have some ideas about it.

a) Old configs should be honored. New settings should allow the service to run - it was allowed before, and should be allowed now. This solves the issues with already running devices in hard to access places.
b) When upgrading a device from an old version that doesn't have device-mode, there should be a one time grace period where we can set our defaults and do a soft reboot. Say, two hours after the first boot with this new version. But only this one time - future upgrades wouldn't have it. Consider this the price of transition.
c) If it is deemed too insecure to honor the old settings (a thorny subject, but...) there should be a way to set this on upgrade and set with a soft reboot. As said above, this should be a one time offer - say, from 7.16 to 7.17. This way people with huge fleets of hard to access devices can automate the migration.
d) New devices, with factory installed >= 7.17, can get this enabled by default.
e) When netinstalling I think we should be able to pass all this configs, and have them enabled without physical intervention IF AND ONLY IF the boot options make so that the device would try to boot first from its own flash. This way we keep the safety measures, needing local access to change these options.

This is what I think. Should help smooth the transition to this new paradigm.
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:23 pm

@Normis
I understand why you do this and especially for home users. it is install and forget.
I would not be against an option of auto-upgrade as other products - configurable of course, but default on.

Anyway the new version should not brake existing scenarios.

I have 7.15 version, device-mode "enterprise" without specific configuration.
I use partitions as recovery solution (triggered in script) so box automatically reverts to previous version after upgrade if something is wrong,

As with 7.17 the new mode "advanced" is set as default with new features set - for me "partitions" blocked and it will break by setup.

This should not happen, for example new features introduced should be allowed by default.
Or specifically for partitions the system could detect that partitions are enabled and set it as allowed feature. thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:30 pm

Some replies and remarks:

Old configuration is not touched. If you had hotspot, it keeps working etc.
Containers always required device mode setting, so you already must have had enabled it, if you had them before.
FezzFest: Downgrade is still offered via switching of release channels. Don't upgrade to a beta you have no access to.
 
OlofL
Member Candidate
Member Candidate
Posts: 114
Joined: Mon Oct 12, 2015 2:37 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:36 pm

From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering.

The basic premise in whole DNS system is that if there are more than one DNS server available (configured), it is assumed that all of them would give the same answer. And answer "no such domain" is answer (albeit negative). DNS client may use available server in round-robin manner, but most use single server until it stops replying altogether.

So which kind of behaviour is that you observe from 19.6.10.220 ?
Yes they do, but the point in having two servers to forward to, is that if one of them goes down, routeros should use the second one. As the link I linked to above, it does not work perfectly.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 6:54 pm

FezzFest: Downgrade is still offered via switching of release channels. Don't upgrade to a beta you have no access to.
I'm not upgrading to any beta's. What worries me are releases presented as stable, containing bugs we didn't anticipate and won't be able to fix as we can't downgrade to an older version anymore.
It is time for a long-term channel. Then you could at least have this "last resort" when stable reveals some issues.
 
dksoft
Member Candidate
Member Candidate
Posts: 152
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 9:16 pm

I have posted further updates to the manual, so all your Device mode questions should be answered in there .
Should not "downgrade" be in the table of the disabled features of the "advanced" line? https://help.mikrotik.com/docs/display/ROS/Device-mode
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 9:23 pm



Any hints in log?
Missing exec. Only thing which shows in log after start and then immediately stop.
At first sight (quickly logged in via wireguard during lunch break) disk is mounted correctly (it did cause problems in the past with some USB3 drives on Rb5009 but it seems it gets recognized ok now each time after reboot), folders are still there from what I can see. Mounts are present as expected.
On itself not a real issue since those containers are pretty easy to setup again from scratch but I am simply wondering why it broke all of a sudden.
Now I'll be damned ...
downgraded to 7.16 to see what happens there. Still nada.
Back to 7.17b2, everything works now :shock: :o

I didn't change a single bit of config myself...
 
holvoetn
Forum Guru
Forum Guru
Posts: 6640
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 9:42 pm

Adding:
this part from changelog 7.16
*) container - clear VETH address on container exit and mark interface as running only when VETH is in use;
...is not yet implemented in 7.17b2.

It's not in the changelog so no surprise but it's one of the things which set me off initially when troubleshooting during the day.
I was expecting it to be there already. Appears it's not yet.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 9:42 pm

I have posted further updates to the manual, so all your Device mode questions should be answered in there .
https://help.mikrotik.com/docs/display/ROS/Device-mode
Similar question... under "bandwidth-test" ... it does not discuss /tool/speed-test. I guess it's not included if one believes the recent docs... but since you could set the interval= very high, it can act like bandwidth-test.

On the device-mode topic generically... Yet another plug for some way for "netinstall" or "whatever-mass-install" case to be able to set the desire device-mode WITHOUT having to login to enable these feature. In my particular case, I've never been able to deploy container/s from a defconf script - so it yet another hurtle to using /containers more broadly. And, actually like to restrict more device-modes via netinstall/branding, but doing so requires manual steps.

While, yes, for one device, idevice-mode is trivial - but if the device was on top of mountain, or part of larger ISP deployment (esp. those who used partitioning on controlled CPEs)... it a much bigger deal. At least with the "default password 'controversy'", it was only new units that were effected & [eventually] controllable via "netinstall" variables. The same treatment is needed for device-mode IMO.

i.e. you should be able to set /system/device-mode WITHOUT the "power"/"button" protections from a /system/default-configuration script (applied via branding or netinstall).
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Wed Oct 02, 2024 10:18 pm

No, we do not plan to implement annual licensing or any other licensing changes.

Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.

EVEN THOUGH we have no known security issues in RouterOS AND we have added default passwords out of the box, improved security will ensure the devices stay secure for a long time. Home user does not need traffic generator.
Thanks for clarifying that!
 
oeyre
Member Candidate
Member Candidate
Posts: 141
Joined: Wed May 27, 2009 12:48 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 2:25 am

Sorry I am a bit unclear about something regarding device mode. Is/will it become mandatory to use:
  • For my existing hardware once I upgrade to 7.17?
  • For any new hardware that comes from factory with 7.17+?
I currently don't use this feature at all on my devices and the majority of them are not reachable from the Internet.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 10:55 am

Sorry I am a bit unclear about something regarding device mode. Is/will it become mandatory to use:
device-mode is an existing feature that was introduced a couple of versions ago, and it provides a global enable/disable of features that are deemed to be "dangerous".
Its most apparent use was to enable the new "container" feature. To use that, you always had to set the container property in device-mode.

What causes the stir-up now is that MikroTik have decided to add a couple of new device-mode properties for EXISTING features that many advanced users use, and to guard those features, without enabling the corresponding device-mode property by default.
That means that once you upgrade to 7.17 you will find existing features inoperative, especially those centered around the possibility to go back to a previous version.
To have the features back, you need physical access to the router at a time it is not in active use.
That is what lots of professionals do not like about it.

For the home user with one or two routers that maybe even have only 16MB of flash and who never wants to downgrade, it is not an issue.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 11:59 am

We are only at first public beta now so Mikrotik has time to change this - at least by changing "partition" and "downgrade" defaulting to enabled in advanced mode - or leaving it unchanged.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 1:41 pm

I don't think there is any indication that they are planning to change this. All responses are only directed at clarifying and documenting the new situation, there isn't any hint at all that they may reconsider the decision.
Documentation on device-mode is still useless as we don't know which "certain EOL devices" must have cold reboot i.e. do not respond to button - and it still is not clear which devices are set to 'basic' and which to 'home' mode as default. Definition by "home routers" and "other devices" is not acceptable as we have many devices that are not routers yet default configuration is as a router (best example is wAP ac).
 
ormandj
just joined
Posts: 18
Joined: Tue Jun 15, 2021 12:25 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 3:22 pm

It seems like the upgrade should have an option to leave all pre7.17 devices in the same state they were post upgrade, and add no lockdown, to include all features, not just ones previously used. If you absolutely must go this route, make the default be to switch to a restricted mode like you are currently planning, but give users with complex or remote deployments the option to upgrade without any restrictions being enabled, for any feature. Perhaps a CLI flag?

You might have to do a 7.16.1 to enable this if functionality to support upgrade options isn’t currently available, but this should resolve the issue while still allowing MikroTik to try and prevent home users from whatever it is this mode and feature restriction is supposed to address.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 4:06 pm

Let me ask again, why would you simultaneously deploy a new version on these thousands of inaccessible devices, without testing it first?
Second, if you are able to connect and issue a system downgrade command, it means the device still works, no?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 4:07 pm

ormandj
"It seems like the upgrade should have an option to leave all pre7.17 devices in the same state they were post upgrade"
That's exactly as it is. I already explained it. Your running config is not affected.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 4:09 pm

Pe1chl: "That means that once you upgrade to 7.17 you will find existing features inoperative"
That's not true, can you please stop repeating this nonsense? It was explained multiple times, that your container will continue working, your hotspot will continue working. It is documented and answered in this topic as well. Only new configuration will be locked, if you do not have the correct mode enabled.
 
acresp
just joined
Posts: 4
Joined: Tue Oct 01, 2024 11:03 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 5:29 pm

Hello,

Is it on the roadmap to have PTP support on CRS520-4XS-16XQ-RM ?

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 5:41 pm

Device Mode: Partitions

- If your router is unable to boot, it will still be able to boot into your other partitions. No restriction for crash recovery.
- You can still repartition your disk into more partitions. No restriction for repartition.

The only thing not allowed by device-mode setting "partition", is manually changing to another partition if your device is working fine.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 5:51 pm

Let me remind you, that if your device has some need to be routinely switched between partitions all the time, send somebody to unplug it from power ONCE in it's lifetime, to enable device mode setting for this.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 5:57 pm

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:12 pm

The issue with downgrade is that any attack script can immediatelly issue downgrade command to some version with known security issue and take over the device. See viewtopic.php?p=1101208 as an example of how smart these scripts are.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:14 pm

It seems like nobody complaining about "bootloader" device-mode flag. The discussion is all about "partitions" and "downgrade". "traffic-gen" was mentioned, but to be serious, even someone managing thousands of devices does not need "traffic-gen" on a majority of them. This sounds do-able to enable "traffic-gen" on some devices again for these "special cases".

And "traffic-gen" is probably the most dangerous option here - from a sight of the "world". Nobody likes to get hit by a botnet of Mikrotiks running traffic-generator.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:15 pm

The issue with downgrade is that any attack script can immediatelly issue downgrade command to some version with known security issue and take over the device. See viewtopic.php?p=1101208 as an example of how smart these scripts are.
How about disallowing downgrade to ROS versions with known security vulnerabilities? This needs no device mode to be honest.
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 03, 2015 12:03 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:16 pm

please do not mass change anything that can't be accessed.
If I can help it, we're never physically touching any of our equipment, ever. That's a philosophy you may not like, but we've got a network to run and we like to spend our time deploying new customers rather than dancing to the tunes of a developer in Latvia that cares more deeply about defending his ideas than implementing ones that'd solve the problem.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:21 pm

The issue with downgrade is that any attack script can immediatelly issue downgrade command to some version with known security issue and take over the device. See viewtopic.php?p=1101208 as an example of how smart these scripts are.
How about disallowing downgrade to ROS versions with known security vulnerabilities? This needs no device mode to be honest.
Unknown today might become known some other day.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:21 pm

It seems like nobody complaining about "bootloader" device-mode flag.
Well, I don't really like that either. When I want to netinstall a device that is not completely dead, I use "try-ethernet-once-then-nand" mode to force it to go to netinstall, instead of fiddling with the button. I even netinstalled a device remotely that way. Just to be sure that some strange phenomenon I was seeing was not caused by configuration database corruption.
In the normal use case one could argue that you can still use device-mode to allow bootloader setting and then use it, without fiddling with the button (only powercycle), but for remote devices that is not always possible.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 6:22 pm

You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 232
Joined: Thu Dec 21, 2023 6:45 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 7:47 pm

What if you implement it like this:

  • For devices currently running <= 7.16.x which currently have device-mode = "enterprise", an upgrade to >= 7.17 will switch the mode to "advanced", but with the extra features still enabled (except for container, unless it was already enabled under the older version). The extra features, however, can each be switched to "no" once (by running the commands) without requiring physical access. Further switching, as well as changing the device mode, will require physical access. That way admins can immediately make their devices more secure after the upgrade without needing to physically touch them.
  • A configuration reset or netinstall will disable the extra features by default (current 7.17beta behaviour).
  • New devices with >= 7.17 preinstalled from factory also have the extra features disabled by default.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 8:49 pm

And even if it would exist: you would need to press button or power off. hahha
Well, at least we could plan that as a task to be performed during other visits to each location in the months before the upgrade.
 
User avatar
dang21000
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Feb 25, 2023 2:30 pm
Location: France

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 9:01 pm

This is a fu__ng function the need to press a button to manage device mode features.
It's very fun with remote site at fews hundreds/thousands kilometers.

How this new device mode will be handled with upgrade/downgrade OR partitions switch with differents versions ?
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 9:20 pm

And even if it would exist: you would need to press button or power off. hahha
Well, at least we could plan that as a task to be performed during other visits to each location in the months before the upgrade.
Mikrotik could make these device mode properties available in 7.16.1 already. 7.17 final release is months away.
 
User avatar
sirbryan
Member
Member
Posts: 392
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 9:56 pm

Let me remind you, that if your device has some need to be routinely switched between partitions all the time, send somebody to unplug it from power ONCE in it's lifetime, to enable device mode setting for this.
Let me remind you that you guys are adding both fixes and features in RouterOS 7 at a fast, steady pace (for which we are grateful). That "some need" for switching between partitions is because new versions can test out fine in the lab or on a couple of field devices, but introduce breaking changes elsewhere in the field, some of which we may not notice for days or weeks. Switching back to the previous partition gets us back to a known state (version + config) quickly.

As for unplugging a router for just ONCE in it's life:

Let's look at my mountaintop CCR2116 as an example. We can get there relatively easily from June to October. That's only five months out of the year. Even then, it's a four-hour drive one way. And, for obvious safety reasons, we only go up and do our work during daylight hours. You are suggesting we will have to set aside 9-10 hours one day and bring down a critical portion of the network for a few minutes in order to keep existing features active, should we choose to update the software (which we usually do to take advantage of bug fixes). Not only is this expensive (fortunately we usually have multiple reasons for going up), but customers don't often like services going down during daylight hours.

For the gear that is more reachable, I'm (I'm a one-man business) going to have to drive around my network, remotely log in, and within 2 minutes power-cycle about 40 additional CCR2116's, RB5009's, RB4011's, etc. to keep an existing set of features working. That all has to be done during maintenance windows, which are mostly between 2:00 a.m. and 4:00 a.m. Most of my site routers are on customer rooftops, with power coming from inside the home. (Are you seeing where this is going?)

Can you at least pretend to understand the situation(s) some of us face, show a little sympathy, and offer constructive suggestions, instead of treating us like idiots? The fact that millions of devices and users won't be affected does not diminish the fact that the remaining hundreds of thousands will, and that there is a tangible cost (in this case a loss) associated with your development decisions.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 10:47 pm

device-mode [...] send somebody to unplug it from power ONCE in it's lifetime [...]
[...] you guys are adding both fixes and features in RouterOS 7 at a fast, steady pace (for which we are grateful). [...] Switching back to the previous partition gets us back to a known state (version + config) quickly.
Agree 100%. But using channels to upgrade/downgrade when facing a potential bug is also very quick too ;). But unfortunately that has problems here too, with the "downgrade=no" device-mode.

Know it's an early beta. But there is logical problem with default downgrade=no device-mode once 7.17 become "stable" i.e. there be no channel to use for downgrade without a "long-term" or other channel to pick for a potential downgrade... For productions system... the last stable is no doubt a better choice when facing potential bugs, than the "testing" channel...but "downgrade=no" block even manual package copy (and double-whammy if you were diligent and already used partitions).

Personally I don't care about the definition of "long-term", or what the channels are named... but the lack of having V6's "3 channels" to "try" when facing a potential bugs has been noticeable in now years since V7 was released. The whole package manual package download+copy to downgrade V7... sucks compared with picking a channel in winbox, and rebooting to quickly see if a particular version broke something. Can we at least get a new "previous-stable" channel if there is not going to be a long-term? - this already be useful outside the beta.

Someone made the point that current stable 7.16 release chain could have options to "prep" for this change - that's not a bad idea. I like the concept of device-mode, but it has to be controllable for automated/mass deployments.

Anyway... some add'l thought needs go into the "device-mode" scheme for dealing with at scale IMO. Either "downgrade" or "partition" are going bit quite a few folks as it stands.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Thu Oct 03, 2024 11:26 pm

Can we at least get a new "previous-stable" channel if there is not going to be a long-term? - this already be useful outside the beta.
I support this idea 1000% - because I use "previous-stable" version on production devices myself in its' last version i.e updated all to 7.14.3 when 7.15 came out and did next updata to 7.15.3 when 7.16 came out. This way it would be easy to maintain this channel as well because it is updated only when next "major" release comes out.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3339
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 1:54 am

Let's look at my mountaintop CCR2116 as an example. We can get there relatively easily from June to October.
At my work many years ago, I did setup several Wifi links on mountain tops. Some times they just stopped working or we just like to reboot them.
So found a solution. Using a power adapter that was controlled by ping. If it for some reason lost ping to an IP (eks remote site) for some time, it would remove the power, wait a fixed time, and put the power back. Site always comes up after that restart. If we like the remote mountain top device to restart, we could just use web access to the device and restart it, or remove remote IP so it restarted it self.

PS do not remember the name or product, was 20 years ago.
 
MrRobotdev
just joined
Posts: 20
Joined: Sun Jul 30, 2023 8:44 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 8:07 am

Developers of Mikrotik

There are so many AP AX that are unusable in 5G because of SA query timeout, and you have just reword this?

Are you serious?

Do not complain that for the market share of Ubiquiti in Wifi... unacceptable for months not to be able to connect my business laptop to wifi
 
vaizki
newbie
Posts: 33
Joined: Wed Mar 23, 2011 3:44 pm
Location: Finland

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 8:27 am

After update CAPsMAN with wireless package stopped working, in the log there are tons of:
CAP failed to join MikroTik (::ffff:127.0.0.1:5246)
CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
Also seeing this. Tried with 7.17beta2 on both cap and capsman - would not work. Same with 7.16 on capsman and 7.17beta2 on cap.. timeouts.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:29 am

Developers of Mikrotik

There are so many AP AX that are unusable in 5G because of SA query timeout, and you have just reword this?

Are you serious?

Do not complain that for the market share of Ubiquiti in Wifi... unacceptable for months not to be able to connect my business laptop to wifi
Please tell me your mikrotik suppor ticket number and I will see if there is any progress in your case.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:30 am

This is a fu__ng function the need to press a button to manage device mode features.
It's very fun with remote site at fews hundreds/thousands kilometers.

How this new device mode will be handled with upgrade/downgrade OR partitions switch with differents versions ?
There is no need to do this at all. What makes you think that?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:32 am

You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
/system/device-mode/update partition=yes
expected end of command (line 1 column 28)

you cannot. 7.16 does not know about device-mode "partition".
Are you serious? I am directly answering your question about bootloader settings.
If you are not interested in real answers, only trolling, you are welcome to join some other online community instead.
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:52 am

If you enforce "advanced" mode for existing devices without this mode or apply new non-existing features, then it is breaking things.
For example you have feature you may want use occasionally so it is not configured but, but you can always do it now.
After the change you cannot do it until going physically to reboot the device.

So effectively you are enforcing people to go physically reboot already installed boxes. That can be thousands.


For me the "partition" feature is a breaking point. I do on upgrades:
- before upgrade copy active partition to backup one
- enable scheduler to run script after boot up
- upgrade
- system boots up, script is executed after some timeout
- the script activates the backup partition and reboots --> will not be possible with changes to device-mode

So if something is wrong after upgrade and I cannot login back to the device, then it is reverted back to original version on backup partition.
This may help to resolve some issues without need of physical access to the device and this is now broken.



I like this idea of someone here:
For devices currently running <= 7.16.x which currently have device-mode = "enterprise", an upgrade to >= 7.17 will switch the mode to "advanced", but with the extra features still enabled (except for container, unless it was already enabled under the older version). The extra features, however, can each be switched to "no" once (by running the commands) without requiring physical access. Further switching, as well as changing the device mode, will require physical access.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:03 am

This thread highlights some very interesting workflows we never even imagined https://xkcd.com/1172/

Why do you switch the partition after upgrade? Can you not simply create a second partition, or update it, if upgrade is successful? And if not successful, boot from the backup? That will not require any device mode changes.

Yes, automating upgrades that include creation of backup partitions during upgrade, will certainly require a button press once, before such automations can continue. But this is certainly not your typical way to use partitions. Partitions are created and then only used when device fails to boot.

EDIT: I am reading your post again. The last step, why is it necessary? Your workflow is not affected by device mode, if you don't manually switch to backup partition. Why is this needed?
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:34 am

I am not bmann, but I can imagine some reasons why he uses the described workflow. The key quote is "I cannot login back to the device". The device can successfully boot up. But at the same time not accessible anymore. Wireguard/ovpn tunnels do not establish anymore or other reasons. The last resort: rollback. Rollback is maybe the most powerful tool anyone working in IT can have. Because there is no standardized way in ROS, people come up with their own solutions. And it's not a spacebar heater...

...and refering to the xkcd comic on using spacebar to overheat cpu. Well, this is - no shit - one thought I had in the last few days on this device-mode topic. "How can I simulate power loss for ROS without actually power off or press the reset button". People get creative. Maybe someone finds a sequence of commands or a state of configuration which leads reproducible to a "device rebooted. possibly power loss" log message. This "knowledge" of ROS bug could then be used to confirm device-mode changes. It is like having the 0-day exploit at hand - and keep it like Golum's ring.
Last edited by infabo on Fri Oct 04, 2024 10:41 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:40 am

that is the exception. i'm asking why he is doing that every time after upgrade.
if your tunnel is down, you can't switch partitons anyway. you need access for that.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:43 am

if your tunnel is down, you can't switch partitons anyway. you need access for that.
The scheduler script does that. It is configured to run e.g. 5min after startup. It does switching partition. If bmann can log in, he just disables the scheduler. All good.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 11:28 am



/system/device-mode/update partition=yes
expected end of command (line 1 column 28)

you cannot. 7.16 does not know about device-mode "partition".
Are you serious? I am directly answering your question about bootloader settings.
If you are not interested in real answers, only trolling, you are welcome to join some other online community instead.
I think several people here agree that YOU are the one here that is trolling.
As someone else says: you are treating us like idiots.
When we ask you something, you switch to another topic.
And worst of all: when we ask to keep an existing capability, you are not positively trying to get a solution, no you go to the lame
"why would you want that" direction. It has already been established that we want it, the discussion is about how to achieve it.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 11:36 am

pe1chl, why is this so hard to understand? your complaint is about routerboot settings, that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.

about partitions, their purpose is to reboot into backup, when device fails to boot. this works without any device mode changes or settings. if you have such a setup, nothing has to be done after upgrade. you can create partitions, copy active partition to backup partition etc. and it will fallback to backup, if device fails. no button press necessary.
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 11:43 am

infabo is right on my setup.

so clarification:
- I do not switch partitions at all on upgrade normally (just copy actual/active partition to backup partition)
- enable scheduler that starts after successful boot up
- if I can login back and manage the box I disable the scheduler
- if I cannot login back then after 5m the script switches active partition and reboots -> box boots back to previous version and all should run as before

This is rollback in case there is something wrong - for example PPPoE client does not connect to server, problem with routing, firewall, vpn tunnel etc. It may happen due to some bug or other issues.
I do this because the device is remote and not easily accessible and this reduce the need to physical access to device.
Last edited by bmann on Fri Oct 04, 2024 11:49 am, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 11:46 am

pe1chl, why is this so hard to understand? your complaint is about routerboot settings, that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.
Because "try-ethernet-once-then-nand" switches itself back to "nand" afterwards. pe1chl can change that one time on 7.16 when upgrading to 7.17. Afterwards he won't be able to do that anymore. Except: allow "bootloader" in device-mode which involves physical access.
 
DanMos79
just joined
Posts: 13
Joined: Wed Jun 03, 2020 1:35 pm
Location: Germany

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:00 pm

pe1chl, why is this so hard to understand? your complaint is about routerboot settings, that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.

about partitions, their purpose is to reboot into backup, when device fails to boot. this works without any device mode changes or settings. if you have such a setup, nothing has to be done after upgrade. you can create partitions, copy active partition to backup partition etc. and it will fallback to backup, if device fails. no button press necessary.

@normis
I think pe1chl, many user else and I use partitions not only as an automatic fallback, but as a backup if the new version doesn't work as expected.
By the way, this method of using the partitions is also described on the MikroTik help page.

https://help.mikrotik.com/docs/display/ROS/Partitions
"This can be used as an interactive backup where you keep a verified working installation and upgrade only some secondary partition. If you upgrade your configuration, and it proves to be good, you can use the "save config" button to copy it over to other partitions."

Wouldn't it make sense to add an option to set the new device mode parameters via file when updating from version 7.16 to version 7.17? This would give the standard user the secure configuration desired by MikroTik and the advanced user can plan the update process and set the parameters as needed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:12 pm

pe1chl, why is this so hard to understand? your complaint is about routerboot settings
My complaint is NOT about routerboot settings!!!
My complaint is about new device-mode settings that disable existing features that can only be re-established with physical access.
In particular: routerboot settings, active partition changes, and downgrade to a manually uploaded version.
(the latter mainly because there is no previous-stable channel, as others brought up already)
that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.
You may not know that setting bootloader to "try-ethernet-once-then-nand" does not stick, it only remains active until the
next reboot. What I would like to see is a "try-ethernet-for-30-seconds-then-nand" mode that does stick and that we can set
in locations where we would like to be able to netinstall some time way in the future, e.g. tower installs of access points.
But that is a different matter, let's not confuse the current issue.
about partitions, their purpose is to reboot into backup, when device fails to boot. this works without any device mode changes or settings. if you have such a setup, nothing has to be done after upgrade. you can create partitions, copy active partition to backup partition etc. and it will fallback to backup, if device fails. no button press necessary.
But you do not cover the situation where we have version X in active partition, version X-1 in backup partition, it has been
running and reconfigured for some time and then the power is cycled a couple of times (sometimes happens here when e.g.
internet is down and people unplug the equipment, wait one minute, unplug again because it still doesn't work).
Now the active partition is the old version, which may run but we want to get back to the version X so need to switch active
partition and reboot.
Happened in the company earlier this week (triggered by a strange bug in 7.16 that I still have to further investigate).
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:15 pm

What we all can agree on, and I hope even normis agrees on it: the "grace period" is way too short. It is not like this device-mode changes happen in 2026 and several precautions can be taken. No, it is - at least planned - to happen in next upcoming "major" release.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:32 pm

Yes, that is also why I suggested that the device-mode settings are made available earlier than that they are enforced.
But Normis plays stupid and pretends he does not understand...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:41 pm

above quoted line from the manual

> "you can use the "save config" button to copy it over to other partitions.""

this can be done without any device mode changes, limitation only is applied to manual re-booting to other partition, if main one is still working
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:42 pm

Yes, that is also why I suggested that the device-mode settings are made available earlier than that they are enforced.
Not really. It does not matter if it is now or later version, but the new device mode should not force you to go and physically visit all running devices.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:44 pm

Rough timeline for v7.16 beta1 to v7.16 release was from June 5th to September 24th. Beta period can be considered grace period.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:51 pm

above quoted line from the manual

> "you can use the "save config" button to copy it over to other partitions.""

this can be done without any device mode changes, limitation only is applied to manual re-booting to other partition, if main one is still working
You cannot "save config" from an inactive partition to the actively running partition, right?
So, no solution.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 12:58 pm

I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change. And if a script can do things in your router, so could an attacker. Those people that have thousands of routers that all use partitions and automated upgrades, that switch to backup partitions, when something can't be pinged (netwatch), yes, will have to manually enable partition mode for this to be possible. But I personally think there are better ways to protect a device against failed upgrades.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 1:09 pm

Rough timeline for v7.16 beta1 to v7.16 release was from June 5th to September 24th. Beta period can be considered grace period.
The major problem I forsee ahead is the fact, that - I have no evidence - only 3/10 people read changelogs.

So this little line
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled; 
will not get the attention. And once you're on 7.17 and find out the "hard way" that you're device just received some device-mode "lockdown" is to be the next #1 topic headline in 2025 Mikrotik forum.

It is like with 7.13. People netinstall e.g. 7.16 and wonder where there wireless interfaces have gone. Yeah, because they did not went the advised upgrade path (first to 7.12.2, then 7.13+) or when doing netinstall did not read the changelog to just find out, they now have to install one additional package aside main package to have wireless working.

Just saying, this will introduce a tremendous amount of support tickets and even more controverse feedback in the 7.17 stable release topic.
 
bmann
newbie
Posts: 29
Joined: Sat Jan 05, 2013 2:10 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 1:36 pm

I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change. And if a script can do things in your router, so could an attacker. Those people that have thousands of routers that all use partitions and automated upgrades, that switch to backup partitions, when something can't be pinged (netwatch), yes, will have to manually enable partition mode for this to be possible. But I personally think there are better ways to protect a device against failed upgrades.
But you need to have physical access to the device!!! For new devices this is OK and everyone will count with it.
But for already deployed devices in production it is a PROBLEM.
You force people with thousands of devices to visit it physically and make a change or give up on functionality.

You literally kick your users in the (_!_)
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 1:57 pm

It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
 
User avatar
ufm
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 15, 2013 12:02 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 2:05 pm

No, we do not plan to implement annual licensing or any other licensing changes.

Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.

EVEN THOUGH we have no known security issues in RouterOS AND we have added default passwords out of the box, improved security will ensure the devices stay secure for a long time. Home user does not need traffic generator.
Also, a home user doesn’t need BGP, MPLS, OSPF, RIP, or 99% of the functionality of ROS. What a home user needs is one big button — "Make everything work." I appreciate your concern for home users, but how about releasing a separate firmware for them and not touching the professional devices?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 2:07 pm

Rough timeline for v7.16 beta1 to v7.16 release was from June 5th to September 24th. Beta period can be considered grace period.
I think you don't understand (just like you pretend to not understand ANYTHING in this matter) what a grace period would be.
A useful grace period would be some time where we can PREPARE for an upcoming change in a non-disruptive manner.
E.g. when 7.16 would allow to set the new device-modes, we could set them when the opportunity arises, within that grace period.
It is not "7.17 will be released in 4 months time so you have 4 months grace period" because after those 4 months, we still have the situation
where an upgrade immediately kills functionality.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 2:22 pm

It looks like someone at MikroTik, maybe as part of a security meeting, has decided that there is a real risk that someone would obtain admin
access to a device and then would want to have even more capabilities and would achieve that by downgrading RouterOS.
While that undoubtedly has happened somewhere, I wonder how realistic that is as a major threat to the millions of deployed routers.
For one, there is always a minimal version (factory version) and it increases all the time. One batch of RB5009 we bought has factory software 7.5,
another bought 2 months later already has 7.8. So downgrade below that isn't possible at all.
Then, the whole issue of "downgrade would make devices vulnerable" is only a valid concern when devices are in fact UPGRADED by their users.
I think a much more effective measure when you want to improve security and want to avoid exploits by devices running lower versions is by
implementing a mechanism for auto-upgrade!
I know that it is possible to implement it using scripting, but only some very interested (or experimenting) user would ever do that.
Most experienced admins would want to keep things under their own control (especially with MikroTik sometimes going haywire like now), and
the casual home user has no expertise to get an auto-upgrade script configuered.

When you really are worried about device security, a much more effective step in 7.17 will be to implement an auto-upgrade as part of the
default configuration, which e.g. checks once a week at a nightly hour of there is a new version in some channel, download it, and either present
a popup in the config tools that tells the user "update available, reboot to install" or installs it automatically after another couple of days.
Then at least you have some way of assuring that naive home users keep a reasonably uptodate version, so there is a "need to downgrade"
for the attacker in the first place!
It would be best if there is a separate channel for this, which gets updated only when there are fixed vulnerabilities, not just for the sake of
having new features. To limit the risk of bricking devices for no reason.

Your competitors already have this. They have some config selection "auto upgrade firmware", enabled by default, that the user can turn off
if they wish. You can have the same thing, just by having some scheduled script that can be disabled from QuickSet if desired.

Another improvement would be a feature to "upgrade settings on routers running defaults". E.g. to upgrade the firewall config to the new
default, or to add the abovementioned scheduled script. As it is now, no improvements in default settings ever get implemented on routers
that already have passed their first powerup. That could be improved to have better security.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 3:44 pm

It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
Please describe your specific use case, so we can see how to improve it. Not theory, real use.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 3:48 pm

To be honest, the most surprising thing coming from this topic is that people use partitions, even though most of our devices don't have enough space for that.
This feedback will help us. What would be much better if you could describe actual use cases, like @bmann has done, instead of "nobody understands how people manage devices". That is not helpful.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10519
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 3:50 pm

We don't buy the toys that have only 16MB for business! And I (and others) have argued a lot against them.
When I first bought MikroTik stuff it was devices like the RB2011 and I immediately partitioned it.
Only later things have gone downhill with all those 16MB devices and the issues they caused (at home, mostly).
Also, please stop projecting your own view on the world onto others. When we say we require functions, you can
believe it without us writing a dissertation about it. Which you probably will only glance over anyway.
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 3:58 pm

I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change.
Except when config is internally f*cked up by an upgrade and manually fixing the issue is no longer possible. The only solutions in this case is either switching to a still working partition or doing netinstall.

Also using switch channel to downgrade from a "stable" release is not possible, as long-term does not exist in the v7 train (yet).
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:05 pm

You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
This won't work with the options that did not exist before 7.17.
Maybe, release a version where partition, downgrade and bootloader are known, but have no effect and can be updated remotely, let people who need these features on a remote devices update them, and then start enforcing them in the next major release?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:06 pm

andriys let me repeat the question. you have full access to the router. what could be so f***ed up that you can't fix it from the fully working command line, but you can type "partition activate" command?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:06 pm

You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
This won't work with the options that did not exist before 7.17.
Maybe, release a version where partition, downgrade and bootloader are known, but have no effect and can be updated remotely, let people who need these features on a remote devices update them, and then start enforcing them in the next major release?
which ones did not exist?
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:07 pm

which ones did not exist?
partition, downgrade and bootloader
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:14 pm

Those features existed previously and if you used them, they are still working. Only new configuration requires approval by button press, for remotely connected user, to protect against remote intruder.
 
TomSF
Member Candidate
Member Candidate
Posts: 104
Joined: Tue Jun 27, 2017 2:12 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:30 pm

After update CAPsMAN with wireless package stopped working, in the log there are tons of:
CAP failed to join MikroTik (::ffff:127.0.0.1:5246)
CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
Also seeing this. Tried with 7.17beta2 on both cap and capsman - would not work. Same with 7.16 on capsman and 7.17beta2 on cap.. timeouts.
I discovered the same issue. 7.17B2 will not provision wireless capsman controlled AC CAPs (mipsbe) access points. It shows the interfaces but shows no remote CAPs. I upgraded one CAP to 7.17B but it still does not work. Also, as you report, 7.16 capsman does not work with 7.17B2 access points.
 
User avatar
ufm
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 15, 2013 12:02 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:51 pm

It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
Please describe your specific use case, so we can see how to improve it. Not theory, real use.
Normis, do you want a use case? Here you go. There’s a war in my country. The equipment is located in a place where bombs are currently falling. Right now, I don’t need the notorious traffic-gen there. I updated the firmware, and suddenly I needed that very traffic-gen. I think the best solution would be to send one of the MikroTik employees (for example, you) over there to press the button or turn the power off/on. After the first nearby explosion, that employee will stop asking silly questions.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 4:54 pm

What will you be using traffic gen for, in this remote router? There is no need for theoretic, like I said
 
User avatar
ufm
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 15, 2013 12:02 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:03 pm

What will you be using traffic gen for, in this remote router? There is no need for theoretic, like I said
To check the quality of the connection after a bombing, for example. I'll repeat what I’ve already written — please, don’t touch professional equipment. The industry already has the opinion about MikroTik: "Try not to update firmware — they’re bound to break something in the process."
 
sinisa
newbie
Posts: 34
Joined: Sun Apr 17, 2011 12:46 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:04 pm

I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change. And if a script can do things in your router, so could an attacker. Those people that have thousands of routers that all use partitions and automated upgrades, that switch to backup partitions, when something can't be pinged (netwatch), yes, will have to manually enable partition mode for this to be possible. But I personally think there are better ways to protect a device against failed upgrades.
I think that you (Mikrotik) think wrong... There are countless devices inside company networks that are not exposed to The Internet in any way, but also not easily reachable/available for power-off or button press during day/normal working time. Some even require special permissions to enter the room at any time, not to mention more special permission and at least two people to get in during the night (I personaly have only a few, but most of my clients are not that paranoid). Luckily, I don't have any devices left on hotel roofs, stadium light poles or similar hard to reach places, I was lucky to have them replaced with optical cables a few years ago :)

To paraphrase your last sentence: I think there are beter ways to protect a device against unauthorised access, especially if it is not reachable from The Internet (btw, I don't understand why people assume that every router will be connected to The Internet?).

So I still think that there should be a "I-know-what-I'm-doing" device mode, and YES, I would set ALL of devices I control to that without thinking a second, just as you said... Just don't make me go push a button on every OLD device already in production.

Thank you for reading and understanding this.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:05 pm

Premise: if you have a 7.16 backup partition, it means that it's there for a reason -> switch over it if new doens't work as you expect.

If you upgrade your primary part to 7.17 ..then the router boots and works but some service is misbehaving (let's say OpenVPN is broken ..or PPPoE Server has issues..); yow want at this point switch over the backup partition or to downgrade.
You can't because both are now blocked by this new lock in 7.17. The device is remote (maybe you have plenty of them) and you have to go there and push the bloody button?

If you don't understand it, please have some rest (ehi, it's friday) and think again about it on monday. ;-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:13 pm

I do understand these theoretical situations. There are several types of posts here:

- People who want to know what exactly will happen, and who have not yet read the previous posts. I try to answer them.
- People who have theoretical "what if ..." concerns for highly improbable scenarios. Sure, they are true, but how critical is this really in real life.
- People with very specific use cases that MikroTik did not imagine before.

I am trying to help the first people and to better understand the other two. If you post your specific use cases, we can understand it better and try and find other kind of solutions to the original security issues.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:20 pm

Instead of talking about the consequences of new device-mode settings in 7.17.

Mikrotik, dear Normis: could you disclose your reasons for applying the changes?
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled; 
A reason for each one. Why bootloader? Why downgrade? Why active partitions? How did you come up with this decision/change? Was there a specific finding or incident?

Maybe acceptance is growing - at least a little - when people know the reasons for this drastic changes.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:21 pm

You don't need to "understand" or "explain", you simply just need to set a timer on 7.17 .. after a week the system is running it will enforce the new policy ..during the first week (grace), admins are allowed to (re-)enable the "partition, downgrade and bootloader" functions.

It's fair: you introduce a new policy, let users the possibility to adapt. Otherwise you HAVE TO give the users a way to prepare BEFORE (a special procedure to proprly set those parameters beforehand).
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26893
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:22 pm

People who did not read changelog will be shocked in 8 days then
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:25 pm

People that manage many devices and remote ones ..they will read, those that don't plan their work are not interested in this topic (IMHO).
 
User avatar
ufm
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 15, 2013 12:02 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:29 pm

I think MikroTik will achieve the opposite result. Now everyone will enable everything right from the initial setup stage because that's easier than thinking, "Will I need this or not, and will I have to climb onto the roof in the middle of the night?" Well done.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:33 pm

I think MikroTik will achieve the opposite result. Now everyone will enable everything right from the initial setup stage because that's easier than thinking, "Will I need this or not, and will I have to climb onto the roof in the middle of the night?" Well done.
Sure .. but you can't enable NOW for future version/policy. So double damage, they enable all features and those who need them can't do that ;-)
 
sinisa
newbie
Posts: 34
Joined: Sun Apr 17, 2011 12:46 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:33 pm

I do understand these theoretical situations. There are two types of posts here:

- People who want to know what exactly will happen, and who have not yet read the previous posts. I try to answer them.
- People who have theoretical "what if ..." concerns for highly improbable scenarios. Sure, they are true, but how critical is this really in real life.
- People with very specific use cases that MikroTik did not imagine before.

I am trying to help the first people and to better understand the other two. If you post your specific use cases, we can understand it better and try and find other kind of solutions to the original security issues.
I see that people are giving very specific situations from real life, there is nothing "theoretical" here: devices that are not easily accessible, on which they WANT to enable downgrade or other features they already had before (for whatever reason, my is that I want to be sure that I'll be able to downgrade in case some problem appears days or weeks after an upgrade, in spite all the testing I did in advance - would not be the first time I need this!).

Then again, why would YOU care what how I want to manage MY devices? I actually think that all this "device mode" stuff was totally unnecessary from the beginning and never used it (of course, I read all the docs about it when first heard about it and found that I don't need it for my usage patterns). I was OK with "enterprise" mode because it did not limit my access to MY devices. I am NOT OK with "advanced" mode which is limiting me. I don't want to spend more $ than the equipment is worth to go out there and visit every device just to press a button, also don't want to buy/test/install/maintain more hardware just to be able to power cycle remote devices...
 
User avatar
Panbambaryla
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sat Jun 08, 2019 12:12 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:33 pm

@normis - you still don't get it and redirecting the discussion in a nonsense area. Now it looks like you're the father of this new device-mode and will keep defend it till the death. Many examples above gave us a full spectrum of real life situations where your idea is wrong. Don't be such arrogant and think it over before your next response...
 
User avatar
sirbryan
Member
Member
Posts: 392
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:42 pm

above quoted line from the manual

> "you can use the "save config" button to copy it over to other partitions.""

this can be done without any device mode changes, limitation only is applied to manual re-booting to other partition, if main one is still working
And this is the problem. There are plenty of us who manually switch between them for various reasons. In particular, the newly loaded version may "work" just fine, but have enough bugs in it that we don't want to stay on that version. I want to be able to manually switch back to my backup version if the new version under test has OSPF/BGP/ISIS/L3HW stability issues, for example.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:43 pm

It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
Please describe your specific use case, so we can see how to improve it. Not theory, real use.
How about when device is both physically inaccessible and situated in a really complicated location?
We have cases where Mikrotik devices are installed inside the appliances and only way to access them is (partial) disassembly of appliance itself. One example was Mikrotik device providing connection to our IoT "mothership" and it was a part of a smoking oven... which ended up at EXPO in Dubai. I wouldn't evem mind to make a trip from northern part of Europe to see things over there, but I am not sure who would be interested in paying for that trip...
 
User avatar
ufm
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 15, 2013 12:02 pm
Location: Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:45 pm

Normis, many people are trying to convey a simple idea to you — we bought a device, and we want to manage it the way we need, without waiting for explanations from MikroTik. When we bought these devices, these restrictions didn’t exist. Why do you think you can degrade the functionality of the devices? Why do you think you can force so many people to spend their time and money solving a problem they didn’t have before and that you’re now creating for them?
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 5:58 pm

I feel there should be a line in sand drawn -- more advance notice to community. I suppose, this is their advanced notice - by placing it in a Beta release.

Or, they draw the line to hAP level devices for this type of default "advance-mode". Then Put "enterprise-mode" on the Pro/enterprise level devices for those that need full-features...... Perhaps writing has been on the wall with the RouterOS Enterprise [ROSE].

We all know how the hAP line and the lower cost devices, new entry-level buyers will purchase and then complain they cant configure because they dont know networking.

MikroTik saying the new release will default to "advance-mode". We will have to go in and modify our config to enterprise-mode before we can downgrade or change boot loader settings? This should be new default for re-install or newly purchased devices.

https://help.mikrotik.com/docs/display/ROS/Device-mode
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 6:38 pm

also to MikroTik -- Given the backup partition. All this new work been done in release and Winbox4.

Why hasnt more work been done on CAPsMAN? IE: Config sync to secondary/failover CAPsMAN "controllers". I hope there is now concurrent development teams within.

Application team: Winbox, containers
OS Level
Wireless
WebFig / Userman [Userman is still garbage in rOS 7.0]. Having to resort to third-party for voucher creation.
 
ormandj
just joined
Posts: 18
Joined: Tue Jun 15, 2021 12:25 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 6:54 pm

ormandj
"It seems like the upgrade should have an option to leave all pre7.17 devices in the same state they were post upgrade"
That's exactly as it is. I already explained it. Your running config is not affected.
I read the update as anything you currently have configured/is running won't change, but your ability to configure things that require the advanced mode functionality will no longer be possible. Is that a misunderstanding on my part? I'm suggesting that the default behavior can be to lock down _new_ configuration of those options, but that an upgrade should have the option to choose _not_ to lock these things down for _new_ configuration on existing devices that were pre-7.17. This would remove the need for any physical visits for those who choose to opt out of the new default mode, as long as the option was selected properly on update.

This also should be a very clear, and VERY bold note at the top of the release notes/upgrade instructions. Give people the option to opt-out of this new behavior if they know they need to, even if you want to make the defaults more "secure" for those who don't know better.
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1049
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 7:14 pm


Please describe your specific use case, so we can see how to improve it. Not theory, real use.
I think about 90% of the heat from this future change comes from people that DO use partitioning. Because we DO use it: the ability to have more than one partition, and do either a failover or a manual switch, is a godsend blessing. I really can't imagine how Mikrotik would downplay something SO vital to a basic networking block as a router.

Me and several others have always complained about the 16MB devices - not because we want to put movies on the storage, but because it can't be partitioned. I really think Mikrotik is missing one trick here: EVERY device (minus some very few weird cases?) should have flash enough to be partitioned in two, with enough space left to do a normal upgrade and then some more (future proofing is always good). I'm not talking about 1GiB storage here. I'm talking about 64MB for routers/switches without wireless, and 128MB for whatever comes with wireless. This way we can use partitions and upgrade them with peace of mind.

Now, about the use cases:

1) Production partition and failover partition. Not a backup (those are external), but a fail over. We just copy the production one into the fail over, do the upgrade and reboot. If we have problems, it's always possible to roll back. Yes, a catastrophic problem would boot the fail over partition anyway. But it doesn't help if the router boots, is accessible and get some new blocking bug that didn't exist before. In these cases we would just change the partitions and restore service. This can't be done (at least if I understood right) after we upgrade from 7.16 to 7.17 - because we would need to enable it for the first time.
2) Testing new versions. Yes, yes, one should do it on the lab. True, but at some point it will be put in production - and we never know if some distant site will brake in weird ways. Using some units as a coal canary save a lot of problems. A new 7.17 device would have to be configured to allow this - not a problem. But - again - an upgrade from 7.16 to 7.17 would require physical intervention. And it isn't always easy to do.
3) Sometimes a stable version has a blocking bug, and the (still beta) one solves it. In these situations it may be reasonable to put a beta version on this specific site. If it is across the street, no big deal having to press the button and rollback if necessary. If we are talking about something in the middle of nowhere, meaning a 3 hour drive plus a 2 hour hiking... well, thinks start getting problematic.
4) Even with easy accessible devices. If we need to reset 3 of them, no one will think about. Try do this in a bigger environment, with hundreds of places to go. At each place it will cause an interruption - it have to be negotiated too. Users get angry, management gets angry. Corporate metrics get angry. SLAs get thrown out (they won't because of one reset - but 200 resets later...)

So, these are some general (and very real) situations that would be negatively impacted by this change. Please understand that we aren't complaining about the device-mode on new routers: I really like this idea. What we are complaining about is the fact that - if we understood right - the way Mikrotik intends to implement it on production devices can have a very real and detrimental impact on us.

Give us a way to set this without reboot, before we reach 7.17
Do like was done on 7.12 (was 7.12, wasn't ?): we had to upgrade to that version, before going to the next. Say, one should upgrade first to 7.16.<last>, before going to 7.17 - and on this last 7.16 we could set everything without the physical part. This way we can prepare for the change, we all get the benefits of the higher security later and everybody is happy.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 8:16 pm

@normis
Sorry for my not perfect English
I think you are not getting the point...
Tô be very honest mkt don't have a very quality control at all,
I can't remember how many times..
After you guys release a stable version that was OK in the beta but make a lot of kernel panic.. Or reboots loops..and before you say.. But if boot loop or kernel panic schedule or some script won't help....
Sorry to inform you that is not always the case..
I remember one or 2 times that after the upgrade..
Because of some issue with the wifi driver it cause device to boot loop, every 30,40 seconds.. So if you was the flash you could login and disable wifi /cappsman and will stop boot loop so...
There is a real case where schedule to revert to backup partition came handly..
And because device boot "normally" it won't trigger the auto fall back partition....
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 8:20 pm

- People who want to know what exactly will happen, and who have not yet read the previous posts. I try to answer them.
Using CLI/scripting – say from defconf or netinstall script – how do you check if a particular "device-mode" is activate?

All the usual CLI/scripting things cannot get that information from "device-mode":
/system/device-mode/print
#       mode: advanced
#       container: yes     
/system/device-mode/print <tab>
# as-value     file     interval     without-paging  
:put [/system/device-mode/get]         
# container=true;mode=advanced

The core issue being that "/system/device-mode/get <service>" returns "nil", and does not "resolve" the "mode=advanced". i.e. A script has no idea WTF "mode=" means, and config code like know if "traffic-gen" (or whatever) was active before doing something.

In what I thought be a simple loop, that shows the problem, or perhaps, nil:

:foreach i in=[/console/inspect request=self path=system,device-mode,update as-value] do={:if ($i->"type" != "self" && !(($i->"name")~"activation-timeout|append|as-value|duration|file|interval|once|without-paging")) do={:local k ($i->"name"); :local v [/system device-mode get $k]; :put "$k = $v (type: $[:typeof $v])"}}
authorized-public-key-hash = (type: nil)
bandwidth-test = (type: nil)
bootloader = (type: nil)
container = true (type: bool)
do = (type: nil)
downgrade = (type: nil)
email = (type: nil)
fetch = (type: nil)
flagged = (type: nil)
flagging-enabled = (type: nil)
hotspot = (type: nil)
ipsec = (type: nil)
l2tp = (type: nil)
mode = advanced (type: str)
partitions = (type: nil)
pptp = (type: nil)
proxy = (type: nil)
romon = (type: nil)
scheduler = (type: nil)
smb = (type: nil)
sniffer = (type: nil)
socks = (type: nil)
traffic-gen = (type: nil)
zerotier = (type: nil)
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 8:55 pm

Those features existed previously and if you used them, they are still working. Only new configuration requires approval by button press, for remotely connected user, to protect against remote intruder.
On Audience running 7.16:
[andrew@MikroTik] > /system/device-mode/update partitions=yes
expected end of command (line 1 column 28)
[andrew@MikroTik] > /system/device-mode/update downgrade=yes 
expected end of command (line 1 column 28)
[andrew@MikroTik] > /system/device-mode/update bootloader=yes
expected end of command (line 1 column 28)
I.e., none of the above existed prior to 7.17.
We absolutely need a way to set them remotely on the already deployed devices before you enforce them on a RouterOS upgrade.
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:05 pm

what could be so f***ed up that you can't fix it from the fully working command line, but you can type "partition activate" command?
There have been a couple of case in my experience with RouterOS, when after a version upgrade some services did not work as expected, and no change in configuration could fix that. The exact same configuration then worked as expected after being applied to the same device after the configuration reset.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:34 pm

fischerdouglas compilation
Lets talk about Hardware Offload?

No news about BGP Flowspec progress on this 7.17?

What about TR-101 on PPPoE/IPoE support?
Any ETA to adding the possibility to do the Username Replacement for the string that comes on Circuit-ID ou Remote-ID?

I reiterate my suggestion that RouterOS should start exporting some Hooks that allow triggers to be triggered.

Perhaps an Intra-RouterOS Hook management tool?
Where events that have a hook would start asking this tool: "I'm doing this, I'm doing that, is there a hook here or can I go straight ahead?"

A DHCP request becoming a Radius Query is exactly an example of how this could be used.

A DHCP event asks this question to the Hooks Center:
- If it receives a "Nothing here! You can go ahead" the DHCP event sends it to the Radius-Client Process as is.
- If it doesn't receive a response in 500ms, the DHCP event sends it to the Radius-Client process as is.
- If it receives a "run this script", it executes it, reprocesses it, and then sends it to the Radius-Client process after having changed it.



When do MikroTik team intend to start showing that:
/ip/route/print
/ipv6/route/print
/routing/route/print
They all deal with the same route table?

I feel like the effort they make to separate this in Winbox and in the CLI is hindering more than helping.



When will all RouterOS processes be placed inside their respective containers (behind the scenes), and thus allow these processes to be easily controlled by Cgroups, limiting the maximum resource usage for each container, and at the same time ensuring that each resource has its respective priority?

This would prevent processes that get out of control from affecting other processes and also the forwarding plane. At the same time, it would prevent grotesque things like a BGP/OSPF/BFD process from crashing when there is such a large amount of packets that it takes up all the computational resources of the box.


When will we be able to enable uRPF per interface?

When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?

Have you MikroTik guys considered splitting the DNS service as was done with the Wifi packages?
Separating different things of different interest into Packages?
Embedded in RouterOS DNS being just a regular AND SIMPLE DNS relay/recursive.
Focused on attending to the requirements of scenarios of home and basic device-modes.
An extra dns.npk designed to be a more complex DNS service, with all the more advanced features that already exist on actual DNS, and other ones that were not included because it complicates much of the basic.
It would reduce the probability of simple issues affecting a huge number of devices.
Would make it easier to do some demands that are a pain to deploy in the current scenario(like VRF on outgoing queries).
It would also prevent less experienced users from getting into trouble by messing with settings that don't need to exist in more basic scenarios.

About User-Manager:

Any plans to allow it to be configured to query LDAP databases?

What about allowing the UserManager Radius to be configured to act as a Radius-Proxy for other Radius-Servers?


Any chance of DHCPv6 Circuit-ID(Option18) and Remote-ID(Option37) start to be forwarded as AVP in Radius Requests of DHCPv6 server?

And what about Vlan Demuxing?
Equivalent to "stacked-vlan-ranges dynamic-profile" in Junos.

Can we expect that to be earlier than 12 months?
Last edited by chechito on Sat Oct 05, 2024 9:26 am, edited 1 time in total.
Reason: consolidation in a single post
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4274
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:46 pm

what could be so f***ed up that you can't fix it from the fully working command line, but you can type "partition activate" command?
Not theoretical - related to "downgrade" device mode
3rd party LTE modems breaking after a version upgrade
While rare (and good work by LTE folks)... but with 1000++'s modem+variant/carrier/tower combo... There is non-zero chance some upgrade will break support for some modem+variants/carrier/tower combos - it happens. If it does... "downgrade" be needed. And to not look like a fool...you'd go back to whatever exact version was just working/running.

So... if LTE was the only source (which happens, but rare is most our cases)... how do you download the packages from a channel= since that requires the internet (and LTE was the only source - that's broken by upgrade)? All the "offline cases" with "downgrade" device-mode... is very unclear to me.
Last edited by Amm0 on Fri Oct 04, 2024 9:49 pm, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 9:58 pm

yeah, the day I learned it's the same list - just filtered....🤯
Winbox total count not matching amount of items in list. such a awkward thing to scatter over places...
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1090
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:48 pm

Type "nil" is the default. If you know that you can use it:
https://git.eworm.de/cgit/routeros-scri ... 493ae36ff6
 
lelmus
newbie
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

Re: v7.17beta [testing] is released!

Fri Oct 04, 2024 10:58 pm

Can anyone else confirm that the packet loss has increased in 7.17beta2 by comparision to 7.16. I noticed websites failing to load on 7.17beta2 and tested using https://speed.cloudflare.com/. I saw in "Packet Loss Measurements" between 1% to 10% lost packets and never 0% of lost packets. I downgraded to 7.16 and most are 0% of lost packets and the highest lost packets was 0.5% of lost packets.

To me its obvious that 7.17beta2 is loosing packets. I turned off all queues and same results.
 
guipoletto
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Sep 19, 2011 5:31 am

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 12:19 am

When will all RouterOS processes be placed inside their respective containers (behind the scenes), and thus allow these processes to be easily controlled by Cgroups, limiting the maximum resource usage for each container, and at the same time ensuring that each resource has its respective priority?

This would prevent processes that get out of control from affecting other processes and also the forwarding plane. At the same time, it would prevent grotesque things like a BGP/OSPF/BFD process from crashing when there is such a large amount of packets that it takes up all the computational resources of the box.
I've actually have seen 802.3 LAG interfaces die , because some other process was hogging the CPU, and the system could not honor the "hardware keepalive" messages
so, hierarchical prioritization / resource reservation would be very nice to have
 
jaxed7
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed May 17, 2023 11:15 pm

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 5:12 am

Upgrading from 7.13.4 to 7.17beta2 on one X86 router resulted in some sort of malfunction in routing that could not even print nor export /ip route of the router and previous configs in this section were not working where as reboot or shutdown didn't help either however a reset configuration did sorta bring it back to normal behavior at the cost of losing those configurations.

Upgrading from 7.13.5 to 7.17beta2 on another X86 router did worked as expected and did not result in former strange behavior in route.

P.S. both routers configurations are almost identical.
1.png
You do not have the required permissions to view the files attached to this post.
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 6:11 am

Is there a specific reason why
multi-passphrase is not supported for the WPA3-PSK authentication type.

Will it be supported in future releases?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 6:28 am

That's because PPSK probably doesn't support management frame protection which is I think needed for WPA3.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 7:07 am

I appreciate MikroTik here [normis] taking the time to provide detailed replies, taking time to try to answer question and make points. Obviously there is passion here and defending.

I mentioned this before in another general topic/thread. I FEEL MikroTik SHOULD shift to soho/pro/enterprise product models. This new security "feature" of device-mode fits that model.

Further, if this new device-mode and concern of locking features and or requiring remote power-cycle. This should be more for "enterprise" level devices - where most deployments should have OOB management means, or a power control PDU to remotely power cycle power ports in real environments.

Otherwise, for soho devices - it is easy for end-user to power-cycle a device.

What about us that operate as WISP, ISP or consultants deploying devices and are soon ready to upgrade past 7.17+. Would we then need to schedule maintenance AND truck rolls to touch EACH device in order to properly change device-mode? Or we have to instruct the customers / end-users we need them to perform XYZ steps due to a security rollout? Otherwise, we decide to stay away from 7.17. Hard to stay away, especially when have future wireless enhancements -- AX is broken. [mANTBox 15 ax]

However, this might be a MOOT issue, given MikroTik will change the default to "advanced". It would be for those "soho/consumer". COUGH hAP type devices -- need to be set to device-mode=HOME. for HOME users that do not need said features....

Distinctive product lines that properly align with RouterOS functionality makes more sense. Default hAP to 'device-mode=home', and then if we CHOOSE as professionals / enthusiasts to use the hAP type device in other means and function, we can configure for advanced/enterprise and physically power cycle...
 
liveup
just joined
Posts: 11
Joined: Fri Aug 19, 2022 3:08 pm

Re: v7.17beta [testing] is released!

Sat Oct 05, 2024 8:42 am

*) zerotier - upgraded to version 1.14.0;
Thanks for ZT update, have a good weekend all.
+1
There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
Has anyone checked if private moons support is really working?
need moons ,too

Who is online

Users browsing this forum: No registered users and 5 guests